Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).
Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 5893fdf819..11310e783a 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -20,7 +20,7 @@ ms.localizationpriority: high
Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
-Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
+Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
>[!Note]
>For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956). For a detailed report that provides you with a framework to evaluate the potential financial impact of adopting Microsoft Edge within your organization, you can download the full study here: [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847).
@@ -55,7 +55,7 @@ However, if you're running web apps that continue to use:
* legacy document modes
-You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md).
+You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md).
## Related topics
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index 8cb8912f67..23dcb3b5b5 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -20,7 +20,7 @@ ms.localizationpriority: high
- Windows 10
## Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 3a25ecae1e..8f777c48c3 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -65,7 +65,7 @@ Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Wind
Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesn’t support 3rd party binary extensions, there’s no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure.
#### Microsoft Edge is now a 64-bit app
-The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Windows store apps.
+The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps.
##### 64-bit processes and Address Space Layout Randomization (ASLR)
Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 6c4f7048d3..4cb600f972 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -87,7 +87,7 @@ In the above example, the following is true:
- contoso.com, and all of its domain paths, can use the default compatibility mode for the site.
-To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2).
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important** If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2).
## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index b0262d2a24..8196de7ec4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -14,7 +14,7 @@ ms.sitesec: library
# Browser cache changes and roaming profiles
We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Windows Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
To get the best results while using roaming profiles, we strongly recommend the following:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 9eb372320e..058f277137 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -59,7 +59,7 @@ After you turn each item back on, see if IE crashes or slows down. Doing it this
If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588).
## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2
-IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Windows Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack.
+IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack.
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 86092448c2..c403f68d94 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -140,7 +140,7 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
|Setting |Result |
|--------|-------|
-|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Windows Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
+|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
|Always in IE11 |Links always open in IE. |
|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 03fe635e2e..8a644c23ba 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -29,7 +29,6 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub.
- [Auto-accepting and declining meeting requests](#auto-accept-meetings-cmdlet)
- [Accepting external meeting requests](#accept-ext-meetings-cmdlet)
-You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
## PowerShell scripts for Surface Hub administrators
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 2d6c513d65..2515c3e821 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 09/25/2017
+ms.date: 10/19/2017
ms.localizationpriority: medium
---
@@ -16,6 +16,13 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+## Octoboer 2017
+
+New or changed topic | Description |
+--- | ---
+[Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md) | Updated instructions to use Windows Team device family
+[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | Clarified user sign-in on Surface Hub
+
## September 2017
New or changed topic | Description
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 60b1ab2d53..8a85487527 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: isaiahng
ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 10/19/2017
ms.localizationpriority: medium
---
@@ -30,12 +30,12 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f
*Organization policies that this may affect:* Settings for lock screen, screen timeout, and screen saver don't apply for Surface Hub.
-### User logon
+### User sign-in
-Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those crednetials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS).
+
+Users can sign in to a Surface Hub, but they will not be signed in to the OS. For example, when a user signs in to Apps or My Meetings and Files, the users is signed in only to the apps or services, not to the OS. As a result, the signed-in user is able to retrieve their cloud files and personal meetings stored in the cloud, and these credentials are discarded when **End session** is activated.
-> [!NOTE]
-> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**.
*Organization policies that this may affect:* Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
@@ -114,7 +114,7 @@ These Surface Hub features provide additional security:
### Device settings
-Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not log in the admin.
+Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not sign in the admin.
*Organization policies that this may affect:* Employees can use the Surface Hub for meetings, but cannot modify any device settings. In addition to lockdown features, this ensures that employees only use the device for meeting functions.
@@ -146,7 +146,7 @@ Surface Hub does not support remote assistance.
### Domain join and Azure Active Directory (Azure AD) join
-Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't log in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
+Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't sign in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
*Organization policies that this may affect:* Group policies are not applied when a Surface Hub is joined to your domain. Policies related to domain membership don't apply for Surface Hub.
diff --git a/devices/surface-hub/images/device-family.png b/devices/surface-hub/images/device-family.png
new file mode 100644
index 0000000000..1efe12fc57
Binary files /dev/null and b/devices/surface-hub/images/device-family.png differ
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index cf999ceac8..8449690b59 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub, store
author: jdeckerms
ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 10/20/2017
ms.localizationpriority: medium
---
@@ -18,8 +18,8 @@ ms.localizationpriority: medium
You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
A few things to know about apps on Surface Hub:
-- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
-- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631) or Windows Team device family.
- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps.
@@ -56,11 +56,12 @@ During app submission, developers need to set **Device family availability** and
**To set device family availability**
1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
2. Select **Packages**.
-3. Under Device family availability, select these options:
- - **Windows 10 Desktop** (other device families are optional)
+3. Under **Device family availability**, select these options:
+
+ - **Windows 10 Team**
- **Let Microsoft decide whether to make the app available to any future device families**
-
+
For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
@@ -126,7 +127,7 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup
|-----------------------------|----------------------------------------|
| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
-| Microsoft Intune standalone | No |
+| [Microsoft Intune standalone](https://docs.microsoft.com/intune/windows-store-for-business) | Yes |
| Third-party MDM provider | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 84340e8542..ece11a95f1 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -37,15 +37,15 @@ You can also configure Surface Hub to receive updates from both Windows Update f
## Surface Hub servicing model
-Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+Surface Hub uses the Windows 10 servicing model, referred to as [Windows as a Service (WaaS)](https://docs.microsoft.com/windows/deployment/update/waas-overview). Traditionally, new features were added only in new versions of Windows that were released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
-- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two tnew feature updates per year.
- **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
-The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
@@ -55,11 +55,9 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
**To set up Windows Update for Business:**
1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
-2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
-
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
@@ -70,29 +68,22 @@ This table gives examples of deployment rings.
| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
| --------- | --------- | --------- | --------- | --------- | --------- |
-| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
-| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) | 120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) | 180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+| Preview (e.g. non-critical or test devices) | Small | Semi-annual channel (Targeted) | None. | None. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Release (e.g. devices used by select teams) | Medium | Semi-annual channel | None. | None. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Semi-annual channel | 120 days after release. | 7-14 days after release. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Semi-annual channel | 180 days after release (maximum deferral for feature updates). | 30 days after release (maximum deferral for quality updates). | Monitor device usage and user feedback. |
-### Configure Surface Hub to use Current Branch or Current Branch for Business
-By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
-**To manually configure Surface Hub to use CB or CBB:**
-1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**.
-2. Select **Defer feature updates**.
-
-To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
### Configure when Surface Hub receives updates
Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
-- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
-- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) policy for each ring.
> [!NOTE]
-> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdates) and [Update/PauseQualityUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausequalityupdates).
## Use Windows Server Update Services
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 7346763936..ef48bfdc1a 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -46,7 +46,7 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
### Proxy configuration
-If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store for Business. Some of the Store for Business features use Microsoft Store app and Microsoft Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 45393cc7e9..27d7b79e79 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -24,7 +24,6 @@
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
-## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Top support solutions for Surface devices](support-solutions-surface.md)
## [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index 04cd11e9f1..bfa5fcd9bb 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -11,6 +11,12 @@ author: jdeckerms
This topic lists new and updated topics in the Surface documentation library.
+## October 2017
+
+New or changed topics | Description
+--- | ---
+Microsoft Surface Diagnostic Toolkit | Topic removed. The Microsoft Surface Diagnostic Toolkit is no longer available for download.
+
## September 2017
New or changed topic | Description
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index e118798d48..542ff44ce7 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -47,7 +47,7 @@ For versions of Windows prior to Windows 10, version 1511 (including Windows 10
## Deploy Surface app with Configuration Manager
-With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Microsoft Store for Business in the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
## Use prestaged media with Surface clients
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 52626b026e..a9d29612a7 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -19,7 +19,7 @@ author: miladCA
>[!NOTE]
>The Surface app ships in Surface Studio.
-The Surface app is a lightweight Windows Store app that provides control of many Surface-specific settings and options, including:
+The Surface app is a lightweight Microsoft Store app that provides control of many Surface-specific settings and options, including:
* Enable or disable the Windows button on the Surface device
@@ -31,11 +31,11 @@ The Surface app is a lightweight Windows Store app that provides control of many
* Quick access to support documentation and information for your device
-If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Microsoft Store for Business.
+If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Microsoft Store or your Microsoft Store for Business.
##Surface app overview
-The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Microsoft Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Microsoft Store for Business, see [Microsoft Store for Business](https://technet.microsoft.com/windows/store-for-business) in the Windows TechCenter.
+The Surface app is available as a free download from the [Microsoft Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Microsoft Store, but if your organization uses Microsoft Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Microsoft Store for Business, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/) in the Windows TechCenter.
##Add Surface app to a Microsoft Store for Business account
@@ -45,7 +45,7 @@ Before users can install or deploy an app from a company’s Microsoft Store for
2. Log on to the portal.
-3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing_model).
+3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/).
*Figure 1. Enable apps for offline use*
@@ -113,7 +113,7 @@ The following procedure provisions the Surface app onto your computer and makes
Add-AppxProvisionedPackage –Online –PackagePath \ Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle –LicensePath \ Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml
```
- Where `` is the folder where you downloaded the AppxBundle and license file from the Windows Store for Business account.
+ Where `` is the folder where you downloaded the AppxBundle and license file from the Microsoft Store for Business account.
For example, if you downloaded the files to c:\Temp, the command you run is:
````
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index f3393feea4..f6b63353f6 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -530,9 +530,9 @@ Now that the installation and configuration files are prepared, the application
#### Import Surface app installer
-The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
+The Surface app is a Microsoft Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
-To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+To perform a deployment of the Surface app, you will need to download the app files through Microsoft Store for Business. You can find detailed instructions on how to download the Surface app through Microsoft Store for Business at [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
```
diff --git a/devices/surface/index.md b/devices/surface/index.md
index eeecfa1314..75d7f71807 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -24,11 +24,10 @@ For more information on planning for, deploying, and managing Surface devices in
| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | Get guidance on how to deploy and manage Surface devices with System Center Configuration Manager. |
-| [Deploy Surface app with Microsoft Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
+| [Deploy Surface app with Microsoft Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Microsoft Store for Business, as well as install Surface app with PowerShell and MDT. |
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
-| [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
| [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. |
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index b7993ada90..00d3409f91 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -34,7 +34,7 @@ Compatible Surface devices include:
- Surface Pro 4
-- Surface Pro3
+- Surface Pro 3
- Surface 3
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
index f1f5afdf72..0048723f2f 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
@@ -38,7 +38,7 @@ The LTSB servicing option is designed for device types and scenarios where the k
* Devices that run productivity software such as Microsoft Office
-* Devices that use Windows Store applications
+* Devices that use Microsoft Store applications
* Devices that are used for general Internet browsing (for example, research or access to social media)
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
deleted file mode 100644
index 2cb59e2ab9..0000000000
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ /dev/null
@@ -1,563 +0,0 @@
----
-title: Microsoft Surface Diagnostic Toolkit (Surface)
-description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
-ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
-keywords: hardware, device, tool, test, component
-ms.localizationpriority: high
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: surface, devices
-ms.sitesec: library
-author: miladCA
----
-
-# Microsoft Surface Diagnostic Toolkit
-
-
-Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
-
-The [Microsoft Surface Diagnostic Toolkit](https://www.microsoft.com/download/details.aspx?id=46703) is a small, portable diagnostic tool that runs through a suite of tests to diagnose the hardware of Surface devices. The Microsoft Surface Diagnostic Toolkit executable file is less than 3 MB, which allows it to be distributed through email. It does not require installation, so it can be run directly from a USB stick or over the network. The Microsoft Surface Diagnostic Toolkit walks you through several tests of individual components including the touchscreen, cameras, and sensors.
-
->[!NOTE]
->A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices:
->- Surface Studio
->- Surface Book
->- Surface Pro 4
->- Surface 3 LTE
->- Surface 3
->- Surface Pro 3
->- Surface Pro 2
->- Surface Pro
-
->[!NOTE]
->Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the archive file (.zip) as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
-
-Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The test sequence includes several tests that require you to perform actions or observe the outcome of the test, and then click the applicable **Pass** or **Fail** button. Some tests require connectivity to external devices, like an external display. Other tests use the built in Windows troubleshooters. At the end of testing, a visual report of the test results is displayed and you are given the option to save a log file or copy the results to the clipboard.
-
-To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you should be prepared with the following items:
-
-- An external display with the appropriate HDMI or DisplayPort connection
-
-- A Bluetooth device that can be put into pairing mode
-
-- A MicroSD or SD card that is compatible with your Surface device
-
-- A Surface Pen
-
-- Room to move the Surface device around
-
-- External speakers or headphones with a 3.5mm stereo plug
-
-- A power adapter for your Surface device
-
->[!NOTE]
->The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not resolve issues with the operating system or software.
-
-## Configure test options
-
-Before you select the tests you want to run, you can click the Tools  button in the upper right corner of the window (as shown in Figure 1) to access the Options section of the Microsoft Surface Diagnostic Toolkit. In the Options section, you can configure the depth of testing and logs, as well as the save location for log files. You can also create and use additional language files for the dialog of each test.
-
-
-
-*Figure 1. The Tools button highlighted in upper right corner of window*
-
->[!NOTE]
->Any options you want to select must be specified before you run the tests. You cannot change the test options after the testing sequence has started.
-
-####Test depth
-You can quickly select among three modes for testing and diagnostics by using the **Test Depth** page. The **Test Depth** page displays a slider with three possible positions, as shown in Figure 2. These positions determine which tests are run and what information is recorded without requiring you to select specific tests with the **Run Specific Tests** button. The three modes allow you to focus the tests of the Microsoft Surface Diagnostic Toolkit on hardware, software, or both hardware and software.
-
-
-
-*Figure 2. The Test Depth slider to select the depth of data collection*
-
-When you select a mode by using the Test Depth slider, a configuration file (.ini) with the same name as the Microsoft Surface Diagnostic Toolkit executable (.exe) file is created in the same folder. For example, if the Microsoft Surface Diagnostic Toolkit executable file is SurfaceDiagnosticToolkit.exe, the configuration file will be SurfaceDiagnosticToolkit.ini. When the executable file is run, the options will be automatically set by the configuration file. To run the Microsoft Surface Diagnostic Toolkit in a specific mode on multiple devices, ensure that the .ini file remains in the same folder with the .exe file used on each device.
-
-When you run the Microsoft Surface Diagnostic Toolkit, you can still use the **Run Specific Tests** button to enable or disable specific tests. The tests selected on the **Please Select Tests to Run** page take priority over the tests enabled or disabled by the mode specified on the **Test Depth** page. When a mode is selected the tests that are applicable to that mode will be enabled by default and the tests that are not required for that mode will be disabled.
-
-Each mode has a specific focus and records a different level of information in the log files, as follows:
-
-* **Hardware and Software Focus.** This is the default mode for the Microsoft Surface Diagnostic Toolkit. In this mode all tests that are applicable to the device are run. This mode logs the most information and takes the most time.
-* **Software Experience Focus.** This mode collects information about the device and records it in the log file. No hardware tests are performed in this mode. The following tests are run in this mode:
- * Windows Update Check Test
- * Device Information Test
- * System Assessment Test
- * Crash Dump Collection Test
- * Modern Standby Test
-* **Hardware Validation Focus.** This mode tests the hardware of the device but does not collect system log files or device information. All diagnostic tests relevant to the device hardware are run in this mode. The exact tests that are run will vary from device to device depending on the hardware configuration. This mode logs the least information and requires the least amount of time.
-
-
-####Save location
-Use the **Browse** button on the **Save Location** page to select a default location for the Microsoft Surface Diagnostic Toolkit log files to be saved. When the tests complete the user will still be prompted to save a log file and a log file will not be saved automatically. The user must still click the **Save to File** button to save the log files. As with the Test Depth mode, this save location is stored in the Microsoft Surface Diagnostic Toolkit configuration (.ini) file and if the file does not exist, configuring this option will generate the file.
-
-####Additional language
-Refer to the [Localization](#localization) section of this article for information about how to customize the dialog displayed during each test. On the **Additional Language** page, you can generate a localization file that you can use to customize the dialog during each test. You can also specify a specific localization file to be used with the Microsoft Surface Diagnostic Toolkit with the **Browse** button.
-
-####Feedback
-You can use the form on the **Feedback** page to inform the product team of any problems that you encounter with the Microsoft Surface Diagnostic Toolkit or to provide any suggestions for how the Microsoft Surface Diagnostic Toolkit could be improved.
-
-
-## The tests
-
-The Microsoft Surface Diagnostic Toolkit runs several individual tests on a Surface device. Not all tests are applicable to every device. For example, the Home button test is not applicable to Surface Pro 4 where there is no Home button. You can specify which tests to run, or you can choose to run all tests. For tests that require external devices (such as testing output to an external display) but you do not have the required external device at the time of the test, you are given the option to skip the test. If a test fails, you are prompted to continue or stop testing at that time.
-
-When the testing completes, the **Test Results** page is displayed (as shown in Figure 3) and shows the status of each test: passed, failed, or inconclusive (skipped). You can choose to run the tests again; to save a log file, including any additional log files gathered by tests; or to copy the log file text to the clipboard.
-
-
-
-*Figure 3. View of the results of the tests*
-
-When the tests have completed, you can also add additional notes to the log files by clicking **Add additional feedback to results ->** on the **Test Results** page. Use the **Type any additional feedback about these tests** field on the **Test Results** page to add your notes, as shown in Figure 4.
-
-
-
-*Figure 4. Add notes to the log file*
-
-Notes that you type on this page are displayed in the log files after the results of the selected tests and before the **Files** section. The section header in the log files for these notes is named **User Feedback**.
-
-#### Windows Update
-
-This test checks for any outstanding Windows updates and will prompt you to install those updates before you proceed to other tests. It is important to keep a Surface device up to date with the latest Windows updates, including drivers and firmware for the Surface device. The success of some of the tests that are performed later in the task sequence depend on these updated drivers and firmware. You will be prompted to restart the device if required by Windows Update. If you must restart the device, you will need to start the Microsoft Surface Diagnostic Toolkit again.
-
-#### Device information
-
-This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](https://support.microsoft.com/en-us/products/windows?os=windows-10) and [System Information](https://technet.microsoft.com/library/cc731397), power configuration, disk health, and event logs. See the following list for a full set of collected log files:
-
-- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10
-
-- **%windir%\\Logs**
-
-- **%windir%\\Panther**
-
-- **%windir%\\System32\\sysprep\\Panther**
-
-- **%windir%\\System32\\WinEvt\\Logs**
-
-- **$windows.~bt\\Sources\\Panther**
-
-- **$windows.~bt\\Sources\\Rollback**
-
-- **%windir%\\System32\\WinEvt\\Logs**
-
-- Output of **dxdiag.exe /t**
-
-- Output of **msinfo32.exe /report**
-
-- Output of **powercfg.exe /batteryreport**
-
-- Output of **powercfg.exe /sleepstudy**
-
-- Output of **wevtutil.exe epl System**
-
-- Events from:
-
- - **Chkdsk**
-
- - **Microsoft-Windows-Ntfs**
-
- - **Microsoft-Windows-WER-SystemErrorReporting**
-
- - **Microsoft-Windows-Startuprepair**
-
- - **Microsoft-Windows-kernel-Power**
-
-- Output of **powercfg.exe /q**
-
-- Output of **powercfg.exe /qh**
-
-- **%windir%\\Inf\\SetupApi\*.log**
-
-These files and logs are stored in a .zip file saved by the Microsoft Surface Diagnostic Toolkit when all selected tests have completed alongside the Microsoft Surface Diagnostic Toolkit log file.
-
-#### Type Cover test
-
->[!NOTE]
->A Surface Type Cover is required for this test.
-
-
-If a Surface Type Cover is not detected, the test prompts you to connect the Type Cover. When a Type Cover is detected the test prompts you to use the keyboard and touchpad. The cursor should move while you swipe the touchpad, and the keyboard Windows key should bring up the Start menu or Start screen to successfully pass this test. You can skip this test if a Type Cover is not used with the Surface device.
-
-#### Integrated keyboard test
-
->[!NOTE]
->This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard.
-
-This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. During the first stage of this test a diagram of the keyboard is displayed. When you press a key, the corresponding key will be marked on the diagram. The test will proceed when every key in the diagram is marked. In the second stage of this test, you are prompted to make several gestures on the keypad. As you perform each gesture (for example, a three finger tap), the gesture will be marked on the screen. When you have performed all gestures, the test will automatically complete.
-
->[!NOTE]
->The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed.
-
-#### Canvas mode battery test
-
->[!NOTE]
->This test is only applicable to Surface Book.
-
-Depending on which mode Surface Book is in, different batteries are used to power the device. When Surface Book is in clipboard mode (detached form the keyboard) it uses an internal battery, and when it is connected in either laptop mode or canvas mode it uses different connections to the battery in the keyboard. In canvas mode, the screen is connected to the keyboard so that when the device is closed, the screen remains face-up and visible. Connect the Surface Book to the keyboard in this manner for the test to automatically proceed.
-
-#### Clipboard mode battery test
-
->[!NOTE]
->This test is only applicable to Surface Book.
-
-Disconnect the Surface Book from the keyboard to work in clipboard mode. In clipboard mode the Surface Book operates from an internal battery that is tested when the Surface Book is disconnected from the keyboard. Disconnecting the Surface Book from the keyboard will also disconnect the Surface Book from power and will automatically begin this test.
-
-#### Laptop mode battery test
-
->[!NOTE]
->This test is only applicable to Surface Book.
-
-Connect the Surface Book to the keyboard in the opposite fashion to canvas mode in laptop mode. In laptop mode the screen will face you when the device is open and the device can be used in the same way as any other laptop. Disconnect AC Power from the laptop base when prompted for this test to check the battery status.
-
-#### Battery test
-
-In this test the battery is discharged for a few seconds and tested for health and estimated runtime. You are prompted to disconnect the power adapter and then to reconnect the power adapter when the test is complete.
-
-#### Discrete graphics (dGPU) test
-
->[!NOTE]
->This test is only applicable to Surface Book models with a discrete graphics processor.
-
-This test will query the device information of current hardware to check for the presence of both the Intel integrated graphics processor in the Surface Book and the NVIDIA discrete graphics processor in the Surface Book keyboard. The keyboard must be attached for this test to function.
-
-#### Discrete graphics (dGPU) fan test
-
->[!NOTE]
->This test is only applicable to Surface Book models with a discrete graphics processor.
-
-The discrete graphics processor in the Surface Book includes a separate cooling fan. The fan is turned on automatically by the test for 5 seconds. Listen for the sound of the fan in the keyboard and report if the fan is working correctly when prompted.
-
-#### Muscle wire test
-
->[!NOTE]
->This test is only applicable to Surface Book.
-
-To disconnect the Surface Book from the keyboard, software must instruct the muscle wire latch mechanism to open. This is typically accomplished by pressing and holding the undock key on the keyboard. This test sends the same signal to the latch, which unlocks the Surface Book from the Surface Book keyboard. Remove the Surface Book from the keyboard when you are prompted to do so.
-
-#### Dead pixel and display artifacts tests
-
->[!NOTE]
->Before you run this test, be sure to clean the screen of dust or smudges.
-
-This test prompts you to view the display in search of malfunctioning pixels. The test displays full-screen, single-color images including black, white, red, green, and blue. Pixels that remain bright or dark when the screen displays an image of a different color indicate a failed test. You should also look for distortion or variance in the color of the screen.
-
-#### Digitizer edges
-
-The touchscreen of a Surface device should detect when a user swipes in from the left or right side of the screen. This test prompts you to swipe in from the edges of the screen to bring up the Action Center and Task View. Both Action Center and Task View should launch to pass this test.
-
-#### Digitizer pinch
-
-The pinch gesture (when you bring two fingers closer together or farther apart) is used to manipulate zoom and to position content through the touchscreen. This test displays an image in Windows Picture Viewer and prompts you to zoom in, move, and zoom out of the picture. The picture should zoom in, move, and zoom out as the gestures are performed.
-
-#### Digitizer touch
-
-The Surface touchscreen should detect input across the entire screen of the device equally. To perform this test a series of lines are displayed on the screen for you to trace with a finger in search of unresponsive areas. The lines traced across the screen should appear continuous for the length of the line as drawn with your finger.
-
-#### Digitizer pen test
-
->[!NOTE]
->A Microsoft Surface Pen is required for this test.
-
-This test displays the same lines as those that are displayed during the Digitizer Touch test, but your input is performed with a Surface Pen instead of your finger. The lines should remain unbroken for as long as the Pen is pressed to the screen. Trace all of the lines in the image to look for unresponsive areas across the entire screen of the Surface device.
-
-#### Digitizer multi touch
-
-The Surface touchscreen is capable of detecting 10 fingers simultaneously. Place all of your fingers on the screen simultaneously to perform this test. The screen will show the number of points detected, which should match the number of fingers you have on the screen.
-
-#### Home button test
-
-The Home button or Windows button on your Surface device is used to bring up the Start screen or Start menu. This test is successful if the Start screen or Start menu is displayed when the Windows button is pressed. This test is not displayed on Surface Pro 4 because no Windows button exists.
-
-#### Volume rocker test
-
-This test prompts you to use the volume rocker to turn the volume all the way up, all the way down, and then all the way up again. To pass this test, the volume slider should move up and down as the rocker is pressed.
-
-#### Micro SD or SD slot test
-
->[!NOTE]
->This test requires a micro SD or SD card that is compatible with the slot in your Surface device.
-
-Insert a micro SD or SD card when you are prompted. When the SD card is detected, the test prompts you to remove the SD card to ensure that the card is not left in the device. During this test a small file is written to the SD card and then verified. Detection and verification of the SD card automatically passes this test without additional input.
-
-#### Microphone test
-
-This test displays a meter that shows the microphone sound level and records audio for a short period of time. Say a few words or make noise and make note that the meter displays the sound level accordingly. A countdown timer is displayed to indicate how much time is remaining for you to record sound. When the countdown timer expires, the recorded audio is played back. Verify that the words or noises sound clear and accurate, and then mark the test as passed or failed depending on the results.
-
-#### Video out test
-
->[!NOTE]
->This test requires an external display with the applicable connection for your Surface device.
-
-Surface devices provide a Mini DisplayPort connection for connecting to an external display. Connect your display through the Mini DisplayPort on the device when prompted. The display should be detected automatically and an image should appear on the external display.
-
-#### Bluetooth test
-
->[!NOTE]
->This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test.
-
-After you receive a prompt to put the device in pairing mode, the test opens the **Add a device** window and begins to search for discoverable Bluetooth devices. Watch the **Add a device** window to verify that your Bluetooth device is detected. Select your Bluetooth device from the list and connect to the device to complete the test.
-
-#### Camera test
-
-Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus.
-
->[!NOTE]
->You can also use the **Snapshot to Logs** option to save a snapshot of the video output to the log files.
-
-#### Speaker test
-
->[!NOTE]
->Headphones or external speakers are required to test the headphone jack in this test.
-
-This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected through the headphone jack. Plug in your headphones or speakers to the 3.5mm stereo jack when prompted. The test will automatically detect that a sound playback device has been connected. Mark each channel as a pass or fail as you hear the audio play through the speakers or headphones.
-
-#### Network test
-
->[!NOTE]
->Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed.
-
-This test uses the Windows Network Diagnostics built in troubleshooter to diagnose potential issues with network connectivity, including proxy configuration, DNS problems, and IP address conflicts. An event log is saved by this test in Windows logs and is visible in the Windows Event Viewer. The Event ID is 6100.
-
-#### Power test
-
-Settings such as display brightness, the elapsed time until the screen sleeps, and the elapsed time until device sleeps, are checked against default values with the Power built-in troubleshooter. The troubleshooter will automatically correct settings that may prevent the device from conserving power or entering sleep mode.
-
-#### Mobile broadband test
-
-This test prompts you to enable mobile broadband and attempts to browse to http://www.bing.com. This test is only applicable to Surface devices that come equipped with mobile broadband, such as Surface 3 LTE.
-
-#### Accelerometer test
-
-The accelerometer detects lateral, longitudinal, and vertical movements of the Surface device. This test prompts you to pick up and move the Surface device forward and backward, to the left and to the right, and up and down, to test the sensor for directional movement. The test automatically passes when movement is detected.
-
-#### Gyrometer test
-
-The gyrometer detects pitch, roll, and yaw movements. This test prompts you to pick up and rotate the Surface device to test the sensors for angular movement. The test automatically passes when movement is detected.
-
-#### Compass test
-
-The compass detects which direction the Surface device is facing relative to north, south, east, and west. Turn the Surface device to face in different directions to test the sensor. The test automatically passes when a change in direction is detected.
-
-#### Ambient light test
-
-The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes.
-
->[!NOTE]
->You can also block the ambient light from the sensor by holding your hand slightly in front of the light sensor, which is located directly next to the camera. Use the provided meter to determine if you are blocking light from the sensor.
-
-#### Device orientation test
-
->[!NOTE]
->Before you run this test, disable rotation lock from the Action Center if enabled.
-
-The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. If you have a Surface Type Cover or the Surface Book keyboard connected, you will be prompted to disconnect the Surface from the keyboard to allow screen rotation. The test automatically passes when the screen orientation switches.
-
-#### Brightness test
-
-This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to test for brightness reaction. To test the reaction of brightness when running on battery, disconnect the power adapter. The screen should automatically dim when power is disconnected.
-
-#### Surface Dock test
-The Microsoft Surface Diagnostic Toolkit uses this test only if a Surface Dock is connected to the device. If a Surface Dock is detected, this test verifies that the Surface Dock driver firmware is updated. For more detailed analysis of Surface Dock firmware status and how to manually initiate the firmware update process, see the [Microsoft Surface Dock Updater](https://technet.microsoft.com/itpro/surface/surface-dock-updater) article.
-
-
-#### System assessment
-
->[!NOTE]
->The Surface device must be connected to AC power before you can run this test.
-
-The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against the processor, memory, video adapter, and storage devices. The results include the processing speed of various algorithms, read and write performance of memory and storage, and performance in several Direct3D graphical tests.
-
-#### Performance Monitor test
-
-Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](https://msdn.microsoft.com/windows/hardware/commercialize/test/wpt/windows-performance-analyzer) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows.
-
-#### Crash dump collection
-
-If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](https://msdn.microsoft.com/library/windows/hardware/ff539316) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](https://social.technet.microsoft.com/Forums/home?category=w8itpro).
-
-#### Connected standby text
-
->[!NOTE]
->This test is only available on Surface devices running Windows 8 or Windows 8.1.
-
-If connected standby is enabled on the Surface device, this test passes automatically. If connected standby is not enabled, a failure is recorded for this test. Find out more about Connected Standby and Modern Standby at [Modern Standby](https://msdn.microsoft.com/library/windows/hardware/mt282515) on MSDN.
-
-#### Modern standby test
-
->[!NOTE]
->This test is only available on Surface devices running Windows 10.
-
-This test records log files of the power configuration for the Surface device using the **powercfg.exe /a** command. The test completes automatically and a failure is only recorded if the command does not run.
-
-
-## Command line
-
-You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments:
-
->[!NOTE]
->Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended.
-
-#### exclude
-
-Use this argument to exclude specific tests.
-
-Example:
-
-```
-Surface_Diagnostic_Toolkit_1.0.60.0.exe “exclude=BatteryTest,CameraTest”
-```
-
-See the following list for test names:
-
-- AccelerometerTest
-
-- AmbientLightSensorTest
-
-- BatteryTest
-
-- BluetoothTest
-
-- BrightnessTest
-
-- CameraTest
-
-- CanvasModeBatteryTest
-
-- ChargingTest
-
-- ClipboardModeBatteryTest
-
-- CrashDumpCollectionTest
-
-- DeadPixelDetectionTest
-
-- DeviceInformationTest
-
-- DeviceOrientationTest
-
-- DigitalCompassSensorTest
-
-- DigitizerEdgeTest
-
-- DigitizerMultiTouchTest
-
-- DigitizerPenCoverageTest
-
-- DigitizerPinchTest
-
-- DigitizerTouchCoverageTest
-
-- DisplayArtifactsTest
-
-- DualGraphicsTest
-
-- FanTest
-
-- GyrometerSensorTest
-
-- HomeButtonTest
-
-- IntegratedKeyboardTest
-
-- LaptopModeBatteryTest
-
-- MicrophoneTest
-
-- MicroSdCardTest
-
-- MobileBroadbandTest
-
-- MuscleWireTest
-
-- NetworkTest
-
-- PenTest
-
-- PerformanceMonitorTest
-
-- PowerTest
-
-- SdCardTest
-
-- SpeakerTest
-
-- SystemAssessmentTest
-
-- TypeCoverTest
-
-- VideoOutTest
-
-- VolumeRockerTest
-
-- WindowsUpdateCheckTest
-
-#### forceplatformsupport
-
-Use this argument to force tests to run when the make and model of the device is not properly detected by Windows. Surface Diagnostic Toolkit is intended to run only on Surface devices.
-
-Example:
-
-```
-Surface_Diagnostic_Toolkit_1.0.60.0.exe forceplatformsupport
-```
-
-#### include
-
-Use this argument to include tests when you run Microsoft Surface Diagnostic Toolkit from the command line. Tests specified by the **Include** command will be run even if the test is not supported on the model of Surface device. In the following example, the Surface Book specific tests for the latch mechanism and discrete graphics will be run, even if the command is run on a Surface Pro 4 or other Surface model.
-
-Example:
-
-```
-Surface_Diagnostic_Toolkit_1.0.60.0.exe “include=DualGraphicsTest,FanTest,MuscleWireTest”
-```
-
-#### logpath
-
-Use this argument to specify the path for the log file.
-
-Example 1:
-
-```
-Surface_Diagnostic_Toolkit_1.0.60.0.exe logpath=C:\Folder
-```
-
-Example 2:
-
-```
-Surface_Diagnostic_Toolkit_1.0.60.0.exe “logpath=C:\Folder with spaces”
-```
-
-## Localization
-
-
-By default, the Microsoft Surface Diagnostic Toolkit is available in English only. If you want to localize the text of the Microsoft Surface Diagnostic Toolkit prompts into another language, you can do so by creating a custom localization file. To create a new localization file (.locale), follow these steps:
-
-1. Click the Tools  button.
-2. Click the **Additional Language** page.
-3. Click the **Generate** button and the new .locale file is created.
-
-The locale file that is created when you use these steps will have the same name as your executable file, even if it has been changed from the default. For example, if the Microsoft Surface Diagnostic Toolkit executable file is SurfaceDiagnosticToolkit.exe, the localization file would be SurfaceDiagnosticToolkit.locale. The locale file will be created in the same folder as the executable file. If a localization file with this name already exists, you will be prompted to overwrite the existing file. The file that is created when you click the **Generate** button is always generated in the default language, English.
-
-To customize the localization file, open the file in a text or XML editor such as Notepad. To edit the dialog for each test, replace the text for each phrase tag. (For example, `text`.) To use the file automatically when you start the Microsoft Surface Diagnostic Toolkit, simply save the file with the same name it had when it was created. To save the file for use with other instances of Microsoft Surface Diagnostic Toolkit, copy the file to another location or save the file with another name.
-
-If a localization file with the same name and in the same folder as the executable file is detected when Microsoft Surface Diagnostic Toolkit started, the alternate text specified in that localization file replaces the default dialog and prompts. If a custom localization file is not present or the file name is not the same as the executable file, the tool will default to English text. At any point you can also explicitly specify a localization file to be used by the Microsoft Surface Diagnostic Toolkit. To specify a localization file, follow these steps:
-1. Click the Tools  button.
-2. Click the **Additional Language** page.
-3. Click **Browse**.
-4. Browse to and select your custom localization file.
-
-A custom localization file selected through this process does not need a specific name. After you select the custom localization file, the Microsoft Surface Diagnostic Toolkit will import the contents and write them to a .locale file with the same name as the .exe file, just like if you click the **Generate** button to create a new .locale file.
-
->[!NOTE]
->If you import a localization file by clicking the **Browse** button, an existing localization file will be overwritten without prompting if that file has the same name as the Microsoft Surface Diagnostic Toolkit executable file.
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index ea32d404cc..4e3fcf3fad 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -94,7 +94,7 @@ In the import process example shown in the [Deploy Windows 10 to Surface devices
Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
-There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
+There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
### Create the upgrade task sequence
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index 1cd440c9aa..8c118e635e 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -29,7 +29,7 @@ One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof o
Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information.
-SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Windows Store and desktop applications, and several models of Surface devices.
+SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Microsoft Store and desktop applications, and several models of Surface devices.
Some recommendations for a successful PoC with SDA are:
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index cee0c58856..c264f50a22 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -50,7 +50,7 @@ The Surface WOL driver conforms to the WOL standard, whereby the device is woken
>[!NOTE]
>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
-Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
+Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Microsoft Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
>[!NOTE]
>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
index f7f99ded79..8988624631 100644
--- a/education/get-started/finish-setup-and-other-tasks.md
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -139,7 +139,7 @@ Follow the steps in this section to ensure that settings for the each user follo
5. Click **Save** to update device settings.
## Complete Office 365 for Education setup
-Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the Office 365 admin documentation.
+Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the Office 365 admin documentation.
## Enable Microsoft Teams for your school
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education.
@@ -176,7 +176,7 @@ You can find more info about how to control which users in your school can use M
## Add more users
After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
-See Add users to Office 365 to learn more. Once you're done adding new users, go to the Intune for Education console and verify that the same users were added to the Intune for Education groups as well.
+See Add users to Office 365 to learn more. Once you're done adding new users, go to the Intune for Education console and verify that the same users were added to the Intune for Education groups as well.
## Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [Set up Windows 10 education devices](set-up-windows-10-education-devices.md). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 51de907eef..85d5add1d6 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
-ms.date: 08/29/2017
+ms.date: 10/04/2017
---
# Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@@ -40,7 +40,7 @@ With Microsoft Education, schools can:
- **Collaborate in a modern classroom** - Help students become career-ready with Office apps like Word, Excel, PowerPoint, and OneNote. Increase comprehension and outcomes with the most advanced teaching apps like integrated Learning Tools.
- **Go beyond the browser with inspiring apps for classroom learning** - Inspire with Minecraft: Education Edition and innovative apps from the Microsoft Store for Education.
-Go to the Microsoft Education site to learn more. See How to buy to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
+Go to the Microsoft Education site to learn more. See How to buy to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
## What we're doing
The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on your [setup scenario](#setup-options), you may not need to implement all these steps.
@@ -140,17 +140,26 @@ See the Microsoft
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- Working with Microsoft Store for Education
-- *Resources for anyone who uses Office 365* and *Resources for admins* in Get started with Office 365 for Education
+- *Resources for anyone who uses Office 365* and *Resources for admins* in Get started with Office 365 for Education
- School Data Sync deployment options
- Deployment using CSV files: How to deploy School Data Sync by using CSV files and CSV files for School Data Sync
- Deployment using PowerSchool Sync: How to deploy School Data Sync by using PowerSchool Sync and School Data Sync required attributes for PowerSchool Sync
- Deployment using Clever Sync: How to deploy School Data Sync by using Clever Sync and School Data Sync required attributes for Clever sync
- Deployment using OneRoster CSV files: How to deploy School Data Sync by using OneRoster CSV files
+- Azure Active Directory features used by Intune for Education, including:
+ - Single Sign-On (SSO) - Allow your Azure AD users to access SSO-enabled apps, so they don’t need to type in their credentials to access these apps.
+ - MDM auto-enrollment - Devices are automatically enrolled with Intune upon being joined with Azure AD join.
+- Enterprise state roaming - Keep school data and personal data separate on your devices.
+ - Dynamic groups - You can use dynamic groups to create rules that populate your groups (for example, a group with all 9th graders) instead of having to manually add or remove members of the groups. The group stays updated by continually staying populated with members that fit the rules you pick.
+ - Password write-back - Allows you to configure Azure AD to write passwords back to your on-premises Active Directory. It removes the need to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are.
+ - Administrative units
+ - Additional local administrators
+ - Self-service BitLocker recovery - A self-service portal that allows your employees to retrieve their BitLocker recovery key and avoid support calls.
**For teachers**
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
-- *Resources for anyone who uses Office 365* in Get started with Office 365 for Education
+- *Resources for anyone who uses Office 365* in Get started with Office 365 for Education
- Windows 10 online resources for teachers
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
index 623b0c5e4e..1b028cb585 100644
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -21,7 +21,7 @@ ms.date: 07/10/2017
Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud.
-Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
@@ -263,21 +263,21 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
2. Click **Settings**, and then choose **Permissions**.
- 
+ 
3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
- 
+ 
- Windows Store for Business updates the list of people and permissions.
+ Microsoft Store for Business updates the list of people and permissions.
- 
+ 
-->
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 89cd5cab6a..1982510bd4 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -136,7 +136,7 @@ The Set up School PCs app produces a specialized provisioning package that makes
- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
- A custom Start layout, taskbar layout, and lock screen image are set.
- Prohibits unlocking the PC to developer mode.
-- Prohibits untrusted Windows Store apps from being installed.
+- Prohibits untrusted Microsoft Store apps from being installed.
- Prohibits students from removing MDM.
- Prohibits students from adding new provisioning packages.
- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 660b765246..09099b2501 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -80,25 +80,25 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
## Add a universal app to your package
-Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
-2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
-5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page.
-[Learn more about distributing offline apps from the Windows Store for Business.](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps)
+[Learn more about distributing offline apps from the Microsoft Store for Business.](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps)
> [!NOTE]
> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index e1c9c918d3..7e92b7c2aa 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -45,7 +45,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
| Policy | Description | Value |
|---|---|---|
| AllowToasts | Disables toast notifications from being shown | 0 |
-| AllowAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 |
+| AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 |
| AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 |
| AllowCortana | Disables Cortana functionality | 0 |
@@ -87,6 +87,17 @@ When Take a Test is running, the following functionality is available to student
- Ctrl+Alt+Del
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
+## Permissive mode
+
+Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps.
+
+When permissive mode is triggered in lockdown mode, Take a Test transitions from lockdown mode to running windows mode on the user's desktop. The student can then run allowed apps during the test.
+
+When running tests in this mode, keep the following in mind:
+- Permissive mode is not supported in kiosk mode (dedicated test account).
+- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode.
+
+See [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
## Learn more
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 64fbb7095c..beddf8d589 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -244,6 +244,10 @@ One of the ways you can present content in a locked down manner is by embedding
> [!NOTE]
> The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
+3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
+
+ See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
+
### Create a shortcut for the test link
You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index b21ff39bef..6b07a96b6c 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -108,6 +108,10 @@ One of the ways you can present content in a locked down manner is by embedding
> [!NOTE]
> The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
+3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
+
+ See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info.
+
### Create a shortcut for the test link
You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 4873c007c6..2434ed8e9b 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -89,14 +89,14 @@ Students will receive an email with a link that will install the app on their PC
-1. Click **Get the app** to start the app install in Windows Store app.
-2. In Windows Store app, click **Install**.
+1. Click **Get the app** to start the app install in Microsoft Store app.
+2. In Microsoft Store app, click **Install**.
- 
+ 
- After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
+ After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
- 
+ 
When students click **My Library** they'll find apps assigned to them.
@@ -113,17 +113,17 @@ Download for others allows teachers or IT admins to download a packages that the
- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
#### Check for updates
-Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Windows Store apps.
+Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps.
**To check for app updates**
-1. Start Windows Store app on the PC (click **Start**, and type **Store**).
+1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
- 
+ 
3. Click **Check for updates**, and install all available updates.
- 
+ 
4. Restart the computer before installing Minecraft: Education Edition.
@@ -132,7 +132,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 087af433c9..19b144df93 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 08/30/2017
+ms.date: 10/17/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@@ -21,11 +21,11 @@ The Windows 10 S self-installer will allow you to test Windows 10 S on a variety
Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2).
-Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Windows Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Windows Store.
+Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Microsoft Store.
**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Windows Store.
+**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store.
As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
@@ -33,7 +33,7 @@ As we finalize development of Office 365 for Windows 10 S (Education preview), t
### Important information
-Before you install Windows 10 S, be aware that non-Windows Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
+Before you install Windows 10 S, be aware that non-Microsoft Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
* Is intended for education customers to test compatibility with existing hardware
* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality
* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
@@ -161,6 +161,27 @@ If going back is not available:
* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps:
+
+> For security and performance, this mode of Windows only runs verified apps from the Store.
+
+If you see this message, follow these steps to stop receiving the message:
+
+1. If you have BitLocker enabled, disable it first in the Control Panel. Go to **Manage BitLocker** and select **Turn off BitLocker**.
+2. Open Windows **Settings** and go to **Update & security > Recovery**.
+3. In the **Recovery** page, find **Advanced startup** and select **Restart now** to start your PC.
+4. After restarting, in the **Choose an option** page, select **Troubleshoot**.
+5. In the **Troubleshoot** page, select **Advanced options**, and in the **Advanced options** page select **UEFI Firmware Settings**.
+6. In the **UEFI Firmware Settings** page, select **Restart** to get to the device-specific UEFI/BIOS menu.
+7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings** and navigate to it.
+8. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot**. If you can't find one of these options, check the **Boot** menu.
+9. Disable the secure boot/UEFI boot option.
+10. Save your settings and then exit UEFI. This will restart your PC.
+11. After Windows is done booting up, confirm that you no longer see the message.
+
+ > [!NOTE]
+ > We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled).
+
### Use installation media to reinstall Windows 10
> [!WARNING]
@@ -179,7 +200,7 @@ To use an installation media to reinstall Windows 10, follow these steps.
If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
8. Select **Install now**.
-9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Windows Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
+9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
11. On the **Which type of installation do you want?** page, select **Custom**.
12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 72ee15e1ab..8bb431d617 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -42,9 +42,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
-
+
You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
## Tips for success
@@ -102,6 +100,9 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
## Prerequisites
- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
+
+ The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish.
+
- Install the app on your work PC and make sure you're connected to your school's network.
- You must have Office 365 and Azure Active Directory.
- You must have the Microsoft Store for Education configured.
diff --git a/education/windows/windows-automatic-redeployment.md b/education/windows/windows-automatic-redeployment.md
new file mode 100644
index 0000000000..cbd112c228
--- /dev/null
+++ b/education/windows/windows-automatic-redeployment.md
@@ -0,0 +1,89 @@
+---
+title: Reset devices with Windows Automatic Redeployment
+description: Gives an overview of Windows Automatic Redeployment and how you can enable and use it in your schools.
+keywords: Windows Automatic Redeployment, Windows 10, education
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: high
+author: CelesteDG
+ms.author: celested
+ms.date: 10/17/2017
+---
+
+# Reset devices with Windows Automatic Redeployment
+**Applies to:**
+
+- Windows 10, version 1709
+
+IT admins or technical teachers can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Windows Automatic Redeployment, devices are returned to a fully configured or known IT-approved state.
+
+To enable Windows Automatic Redeployment in Windows 10, version 1709 (Fall Creators Update), you must:
+
+1. [Enable the policy for the feature](#enable-windows-automatic-redeployment)
+2. [Trigger a reset for each device](#trigger-windows-automatic-redeployment)
+
+## Enable Windows Automatic Redeployment
+**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Windows Automatic Redeployment. It is a policy node in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (True). This ensures that Windows Automatic Redeployment isn't triggered by accident.
+
+You can set the policy using one of these methods:
+
+- MDM provider
+
+ - Windows Automatic Redeployment in Intune for Education is coming soon. In a future update of Intune for Education, new tenants will automatically have the Windows Automatic Redeployment setting enabled by default on the **All devices** group as part of initial tenant configuration. You will also be able to manage this setting to target different groups in the admin console.
+ - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
+ - Data type: Boolean
+ - Value: 1
+
+- Windows Configuration Designer
+
+ You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
+
+- Set up School PCs app
+
+ Windows Automatic Redeployment in the Set up School PCs app is coming soon. We'll update the documentation once the feature is available on the app. In the meantime, you'll want to make sure you are running Windows 10, version 1709 on the student PCs if you want to use Windows Automatic Redeployment through the Set up School PCs app. You can check the version several ways:
+ - Reach out to your device manufacturer.
+ - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
+ - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
+
+## Trigger Windows Automatic Redeployment
+Windows Automatic Redeployment is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
+
+**To trigger Windows Automatic Redeployment**
+
+1. From the Windows device lock screen, enter the keystroke: **CTRL +  + R**.
+
+ 
+
+ This will open up a custom login screen for Windows Automatic Redeployment. The screen serves two purposes:
+ 1. Confirm/verify that the end user has the right to trigger Windows Automatic Redeployment
+ 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
+
+ 
+
+2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Windows Automatic Redeployment.
+
+ Once Windows Automatic Redeployment is triggered, the reset process starts.
+
+ After reset, the device:
+ - Sets the region, language, and keyboard.
+ - Connects to Wi-Fi.
+ - If you provided a provisioning package when Windows Automatic Redeployment is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device.
+ - Is returned to a known good managed state, connected to Azure AD and MDM.
+
+ 
+
+ Once provisioning is complete, the device is again ready for use.
+
+## Related topics
+
+[Set up Windows devices for education](set-up-windows-10.md)
+
+
+
+
+
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 1b6b32c8a9..e659291d49 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -25,7 +25,7 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
## Windows 10 Pro Education
-Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
+Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana[1](#footnote1),
- If you're using version 1607, Cortana is removed.
@@ -44,7 +44,7 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si
## Windows 10 Education
-Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
+Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana1,
- If you're using version 1607, Cortana1 is removed.
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 60c537b382..56b9a46258 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -18,14 +18,14 @@ author: CelesteDG
**Applies to:**
-- Office 365 Business Premium, Azure AD Premium, Intune, Windows Store for Business, Windows 10
+- Office 365 Business Premium, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10
Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
-In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Windows Store for Business, and Windows 10. We'll show you the basics on how to:
+In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
- Acquire an Office 365 business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
-- Set up Windows Store for Business and manage app deployment and sync with Intune
+- Set up Microsoft Store for Business and manage app deployment and sync with Intune
- Add users and groups in Azure AD and Intune
- Create policies and app deployment rules
- Log in as a user and start using your Windows device
@@ -165,7 +165,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag
-Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Windows Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution).
+Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution).
### 1.4 Add Azure AD to your domain
Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune.
@@ -287,10 +287,10 @@ You can read Microsoft Intune management portal and Windows Store for Business.
+In this part of the walkthrough, we'll be working on the Microsoft Intune management portal and Microsoft Store for Business.
**To associate your Store account with Intune and configure synchronization**
@@ -301,33 +301,33 @@ In this part of the walkthrough, we'll be working on the Windows Store for Business using the same tenant account that you used to sign into Intune.
+3. Sign into Microsoft Store for Business using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
-6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Windows Store for Business.
+6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
**Figure 25** - Activate Intune as the Store management tool
7. Go back to the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
-8. In the **Windows Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
+8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
**Figure 26** - Configure Store for Business sync in Intune
-9. In the **Configure Windows Store for Business app sync** dialog box, check **Enable Windows Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
+9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
- **Figure 27** - Enable Windows Store for Business sync in Intune
+ **Figure 27** - Enable Microsoft Store for Business sync in Intune
- The **Windows Store for Business** page will refresh and it will show the details from the sync.
+ The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
**To buy apps from the Store**
-In your Windows Store for Business portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
+In your Microsoft Store for Business portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
@@ -336,11 +336,11 @@ In your Intune management portal, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
-In the following example, we'll show you how to buy apps through the Windows Store for Business and then make sure the apps appear on Intune.
+In the following example, we'll show you how to buy apps through the Microsoft Store for Business and then make sure the apps appear on Intune.
**Example 1 - Add other apps like Reader and InstaNote**
-1. In the Windows Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
+1. In the Microsoft Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
@@ -364,7 +364,7 @@ In the following example, we'll show you how to buy apps through the Windows Sto
If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync.
1. In the Intune management portal, select **Admin > Mobile Device Management > Windows > Store for Business**.
-2. In the **Windows Store for Business** page, click **Sync now** to force a sync.
+2. In the **Microsoft Store for Business** page, click **Sync now** to force a sync.
**Figure 30** - Force a sync in Intune
@@ -569,7 +569,7 @@ To learn more about the services and tools mentioned in this walkthrough, and le
- Common admin tasks in Office 365 including email and OneDrive in Manage Office 365
- More info about managing devices, apps, data, troubleshooting, and more in Intune documentation
- Learn more about Windows 10 in Windows 10 guide for IT pros
-- Info about distributing apps to your employees, managing apps, managing settings, and more in Windows Store for Business
+- Info about distributing apps to your employees, managing apps, managing settings, and more in Microsoft Store for Business
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index 0b9807c98b..ed89a40966 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -1,34 +1,35 @@
# [Microsoft Store for Business](index.md)
-## [Sign up and get started](sign-up-windows-store-for-business-overview.md)
-###[Microsoft Store for Business and Microsoft Store for Education overview](windows-store-for-business-overview.md)
-### [Prerequisites for Microsoft Store for Business and Education](prerequisites-windows-store-for-business.md)
-### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-windows-store-for-business.md)
-### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md)
-### [Settings reference: Microsoft Store for Business and Education](settings-reference-windows-store-for-business.md)
+## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
+## [Sign up and get started](sign-up-microsoft-store-for-business-overview.md)
+###[Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
+### [Prerequisites for Microsoft Store for Business and Education](prerequisites-microsoft-store-for-business.md)
+### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-microsoft-store-for-business.md)
+### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md)
+### [Settings reference: Microsoft Store for Business and Education](settings-reference-microsoft-store-for-business.md)
## [Find and acquire apps](find-and-acquire-apps-overview.md)
-### [Apps in the Microsoft Store for Business and Education](apps-in-windows-store-for-business.md)
-### [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-windows-store-for-business.md)
+### [Apps in the Microsoft Store for Business and Education](apps-in-microsoft-store-for-business.md)
+### [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-microsoft-store-for-business.md)
### [Working with line-of-business apps](working-with-line-of-business-apps.md)
-## [Distribute apps to your employees from the Microsoft Store for Business and Education](distribute-apps-to-your-employees-windows-store-for-business.md)
+## [Distribute apps to your employees from the Microsoft Store for Business and Education](distribute-apps-to-your-employees-microsoft-store-for-business.md)
### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
### [Assign apps to employees](assign-apps-to-employees.md)
### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
### [Distribute offline apps](distribute-offline-apps.md)
-## [Manage apps and devices](manage-apps-windows-store-for-business-overview.md)
-### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md)
-### [Manage app orders in Microsoft Store for Business and Education](manage-orders-windows-store-for-business.md)
+## [Manage apps and devices](manage-apps-microsoft-store-for-business-overview.md)
+### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md)
+### [Manage app orders in Microsoft Store for Business and Education](manage-orders-microsoft-store-for-business.md)
### [Manage access to private store](manage-access-to-private-store.md)
### [Manage private store settings](manage-private-store-settings.md)
-### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md)
### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
## [Device Guard signing portal](device-guard-signing-portal.md)
### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
-## [Manage settings in the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md)
-### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md)
-### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
-## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
+## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md)
+### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-microsoft-store-for-business-account-settings.md)
+### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md)
+## [Troubleshoot Microsoft Store for Business](troubleshoot-microsoft-store-for-business.md)
## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)
## [Change history for Microsoft Store for Business and Education](sfb-change-history.md)
diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
similarity index 88%
rename from store-for-business/acquire-apps-windows-store-for-business.md
rename to store-for-business/acquire-apps-microsoft-store-for-business.md
index 42ad5a517d..b750ec2e50 100644
--- a/store-for-business/acquire-apps-windows-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -11,12 +11,12 @@ ms.localizationpriority: high
---
# Acquire apps in Microsoft Store for Business and Education
-As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md).
+As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md).
## App licensing model
-The Microsoft Store supports two options to license apps: online and offline. **Online** licensing is the default licensing model. Online licensed apps require users and devices to connect to the Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing).
+The Microsoft Store supports two options to license apps: online and offline. **Online** licensing is the default licensing model. Online licensed apps require users and devices to connect to the Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#offline-licensing).
-For more information on the Microsoft Store licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
+For more information on the Microsoft Store licensing model, see [licensing model](https://docs.microsoft.com/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).
## Payment options
Some apps are free, and some have a price. Apps can be purchased in the Microsoft Store using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards:
@@ -41,14 +41,14 @@ There are a couple of things we need to know when you pay for apps. You can add
6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**.
-You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
+You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information).
Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can:
- Distribute the app: add to private store, or assign licenses
- View app licenses: review current licenses, reclaim and reassign licenses
- View app details: review the app details page and purchase more licenses
-For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
+For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
@@ -58,4 +58,4 @@ People in your org can request additional licenses for apps that are in your org
**To manage Allow app requests**
1. Sign in to http://businessstore.microsoft.com
2. Click **Manage**, click **Settings**, and then click **Distribute**.
-3. Under **Private store** turn on, or turn off **Allow app requests**.
+3. Under **Private store** turn on, or turn off **Allow app requests**.
\ No newline at end of file
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index c3c6701559..1deaf59617 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -26,7 +26,7 @@ When you want to add an unsigned app to a code integrity policy, you need to sta
- [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal)
## Create a code integrity policy based on a reference device
-To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](https://technet.microsoft.com/library/mt243445.aspx).
+To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
## Create catalog files for your unsigned app
Creating catalog files starts the process for adding an unsigned app to a code integrity policy.
@@ -40,7 +40,7 @@ Before you get started, be sure to review these best practices and requirements:
**Best practices**
-- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
@@ -77,7 +77,7 @@ After you're done, the files are saved to your desktop. You still need to sign t
## Catalog signing with Device Guard signing portal
-To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. For more information, see [Sign up for the Microsoft Store for Business](sign-up-windows-store-for-business.md).
+To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. For more information, see [Sign up for the Microsoft Store for Business](sign-up-microsoft-store-for-business.md).
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
@@ -92,16 +92,7 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr
- default policy
- root certificate for your organization
- When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+ When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
-7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with System Center Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
-
-
-
-
-
-
-
-
-
+7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with System Center Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
\ No newline at end of file
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
similarity index 92%
rename from store-for-business/app-inventory-management-windows-store-for-business.md
rename to store-for-business/app-inventory-management-microsoft-store-for-business.md
index 9eebbb170e..87e45c504e 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -47,14 +47,14 @@ There are a couple of ways to find specific apps, or groups of apps in your inve
**Search** - Use the Search box to search for an app.
**Refine results** - Use **Refine results** to scope your list of apps by one or more of these app attributes:
-- **License type** - Online or offline licenses. For more info, see [Apps in Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+- **License type** - Online or offline licenses. For more info, see [Apps in Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model).
- **Supported devices** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
- **Product type** - Product categories, such as app, or game.
- **Private store** - Whether or not the app is in the private store, or status if the app is being added or removed from private store.
## Manage apps in your inventory
-Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
+Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
| Action | Online-licensed app | Offline-licensed app |
| ------ | ------------------- | -------------------- |
@@ -79,7 +79,7 @@ Once an app is in your private store, people in your org can install the app on
**To make an app in Apps & software available in your private store**
-1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Apps & software**.
3. Use **Refine results** to search for online-licensed apps under **License type**.
4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**.
@@ -89,7 +89,7 @@ Employees can claim apps that admins added to the private store by doing the fol
**To claim an app from the private store**
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Microsoft Store app.
2. Click the private store tab.
3. Click the app you want to install, and then click **Install**.
@@ -112,7 +112,7 @@ The app will still be in your inventory, but your employees will not have access
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
## Manage app licenses
@@ -165,7 +165,7 @@ You can download offline-licensed apps from your inventory. You'll need to downl
- App license
- App framework
-For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model).
For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
diff --git a/store-for-business/apps-in-windows-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
similarity index 80%
rename from store-for-business/apps-in-windows-store-for-business.md
rename to store-for-business/apps-in-microsoft-store-for-business.md
index 116d6a33fa..2f92a85a03 100644
--- a/store-for-business/apps-in-windows-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -40,7 +40,7 @@ Apps that you acquire from Microsoft Store only work on Windows 10-based device
Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
-Some apps which are available to consumers in the Windows Store might not be available to organizations in Microsoft Store for Business and Education. App developers can opt-out their apps, and they also need to meet eligibility requirements for Microsoft Store for Business and Education. For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
+Some apps which are available to consumers in Microsoft Store might not be available to organizations in Microsoft Store for Business and Education. App developers can opt-out their apps, and they also need to meet eligibility requirements for Microsoft Store for Business and Education. For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
Line-of-business (LOB) apps are also supported using Microsoft Store. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to Microsoft Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
@@ -55,7 +55,7 @@ If an employee makes an in-app purchase, they'll make it with their personal Mic
Microsoft Store supports two options to license apps: online and offline.
### Online licensing
-Online licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
+Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
Distribution options for online-licensed apps include the ability to:
@@ -64,11 +64,11 @@ Distribution options for online-licensed apps include the ability to:
- Distribute through a management tool.
### Offline licensing
-Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store. This model means organizations can deploy apps when users or devices do not have connectivity to Microsoft Store. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing).
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store. This model means organizations can deploy apps when users or devices do not have connectivity to Microsoft Store. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://docs.microsoft.com/en-us/microsoft-store/update-microsoft-store-for-business-account-settings#offline-licensing).
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.
-For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
\ No newline at end of file
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index ff20b5bbab..c15aa18d1c 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -29,7 +29,7 @@ Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to empl
Click the app, and then click **Assign User**.
4. Type the email address for the person you're assigning the app to, and click **Assign**.
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+Employees will receive an email with a link that will install the app on their device. Click the link to start Microsoft Store app, and then click **Install**. Also, in Microsoft Store app, they can find the app under **My Library**.
diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
similarity index 92%
rename from store-for-business/configure-mdm-provider-windows-store-for-business.md
rename to store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 1948662653..c98e43ad4e 100644
--- a/store-for-business/configure-mdm-provider-windows-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -35,7 +35,7 @@ After your management tool is added to your Azure AD directory, you can configur
3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.**
Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
-- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx)
+- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
- [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index f2fdf4a8d4..201db11f02 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -20,7 +20,7 @@ ms.localizationpriority: high
Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
-Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
## In this section
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 73c7ff9a4c..33bfaaae1f 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -18,7 +18,7 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
-The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
+The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Micrsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app.
@@ -50,13 +50,13 @@ Employees can claim apps that admins added to the private store by doing the fol
**To claim an app from the private store**
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start Microsoft Store app.
2. Click the **private store** tab.
3. Click the app you want to install, and then click **Install**.
## Related topics
- [Manage access to private store](manage-access-to-private-store.md)
-- [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store)
+- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store)
diff --git a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
rename to store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 7c5ff2adbd..d85cf9eab4 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -22,29 +22,24 @@ You can configure a mobile device management (MDM) tool to synchronize your Micr
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
+In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
Microsoft Store services provide:
- Services for third-party MDM tools.
-
- Synchronize app purchases and updates.
-
- Synchronize metadata. For offline-licensed apps, also synchronize offline app package and offline licenses.
-
- The ability to download offline-licensed apps from Store for Business.
MDM tool requirements:
- Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
-
- Must be configured in Azure AD, and Microsoft Store.
-
- Azure AD identity is required to authorize Microsoft Store services.
## Distribute offline-licensed apps
-If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business.](apps-in-windows-store-for-business.md#licensing-model)
+If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
@@ -58,5 +53,5 @@ This diagram shows how you can use a management tool to distribute an online-lic
## Related topics
-[Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md)
-[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx)
\ No newline at end of file
+[Configure MDM Provider](configure-mdm-provider-microsoft-store-for-business.md)
+[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://docs.microsoft.com/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
\ No newline at end of file
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 1d3c0b70b4..9b66333542 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -24,7 +24,7 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store
Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps:
-- **You don't have access to Windows Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
+- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
@@ -36,7 +36,7 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y
- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
-- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://technet.microsoft.com/itpro/windows/deploy/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
+- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index 52f7890448..4b919e4cfe 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -1,37 +1,37 @@
# [Microsoft Store for Education](/microsoft-store/index?toc=/microsoft-store/education/toc.json)
-
-## [Sign up and get started](/microsoft-store/sign-up-windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
+## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education?toc=/microsoft-store/education/toc.json
+## [Sign up and get started](/microsoft-store/sign-up-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
###[Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
-### [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-### [Sign up for Microsoft Store for Business or Microsoft Store for Education](/microsoft-store/sign-up-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-### [Roles and permissions in the Microsoft Store for Business and Education](/microsoft-store/roles-and-permissions-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-### [Settings reference: Microsoft Store for Business and Education](/microsoft-store/settings-reference-windows-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Sign up for Microsoft Store for Business or Microsoft Store for Education](/microsoft-store/sign-up-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Roles and permissions in the Microsoft Store for Business and Education](/microsoft-store/roles-and-permissions-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Settings reference: Microsoft Store for Business and Education](/microsoft-store/settings-reference-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
## [Working with Microsoft Store for Education](/education/windows/education-scenarios-store-for-business?toc=/microsoft-store/education/toc.json)
## [Find and acquire apps](/microsoft-store/find-and-acquire-apps-overview?toc=/microsoft-store/education/toc.json)
-### [Apps in the Microsoft Store for Business and Education](/microsoft-store/apps-in-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-### [Acquire apps in the Microsoft Store for Business and Education](/microsoft-store/acquire-apps-windows-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Apps in the Microsoft Store for Business and Education](/microsoft-store/apps-in-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Acquire apps in the Microsoft Store for Business and Education](/microsoft-store/acquire-apps-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps?toc=/microsoft-store/education/toc.json)
## [Get Minecraft: Education Edition](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
### [For teachers: get Minecraft Education Edition](/education/windows/teacher-get-minecraft?toc=/microsoft-store/education/toc.json)
### [For IT administrators: get Minecraft Education Edition](/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json)
### [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
-## [Distribute apps to your employees from the Microsoft Store for Business and Education](/microsoft-store/distribute-apps-to-your-employees-windows-store-for-business?toc=/microsoft-store/education/toc.json)
+## [Distribute apps to your employees from the Microsoft Store for Business and Education](/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store?toc=/microsoft-store/education/toc.json)
### [Assign apps to employees](/microsoft-store/assign-apps-to-employees?toc=/microsoft-store/education/toc.json)
### [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool?toc=/microsoft-store/education/toc.json)
### [Distribute offline apps](/microsoft-store/distribute-offline-apps?toc=/microsoft-store/education/toc.json)
-## [Manage apps](/microsoft-store/manage-apps-windows-store-for-business-overview?toc=/microsoft-store/education/toc.json)
-### [App inventory managemement for Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-### [Manage app orders in Microsoft Store for Business and Education](/microsoft-store/manage-orders-windows-store-for-business?toc=/microsoft-store/education/toc.json)
+## [Manage apps](/microsoft-store/manage-apps-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json)
+### [App inventory managemement for Microsoft Store for Business](/microsoft-store/app-inventory-management-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Manage app orders in Microsoft Store for Business and Education](/microsoft-store/manage-orders-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
### [Manage access to private store](/microsoft-store/manage-access-to-private-store?toc=/microsoft-store/education/toc.json)
### [Manage private store settings](/microsoft-store/manage-private-store-settings?toc=/microsoft-store/education/toc.json)
-### [Configure MDM provider](/microsoft-store/configure-mdm-provider-windows-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Configure MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
## [Device Guard signing portal](/microsoft-store/device-guard-signing-portal?toc=/microsoft-store/education/toc.json)
### [Add unsigned app to code integrity policy](/microsoft-store/add-unsigned-app-to-code-integrity-policy?toc=/microsoft-store/education/toc.json)
### [Sign code integrity policy with Device Guard signing](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing?toc=/microsoft-store/education/toc.json)
-## [Manage settings in the Microsoft Store for Business and Education](/microsoft-store/manage-settings-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-windows-store-for-business-account-settings?toc=/microsoft-store/education/toc.json)
-### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-windows-store-for-business?toc=/microsoft-store/education/toc.json)
-## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-windows-store-for-business?toc=/microsoft-store/education/toc.json)
+## [Manage settings in the Microsoft Store for Business and Education](/microsoft-store/manage-settings-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-microsoft-store-for-business-account-settings?toc=/microsoft-store/education/toc.json)
+### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
+## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-microsoft-store-for-business?toc=/microsoft-store/education/toc.json)
## [Notifications in Microsoft Store for Business and Education](/microsoft-store/notifications-microsoft-store-business?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index 2a4a9e8fba..4c4d889b3c 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -24,7 +24,7 @@ Use the Microsoft Store for Business and Education to find apps for your organiz
| Topic | Description |
| ----- | ----------- |
-| [Apps in the Microsoft Store for Business and Education](apps-in-windows-store-for-business.md) | Store for Business and Education has thousands of apps from many different categories. |
-| [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-windows-store-for-business.md) | You can acquire apps from the Microsoft Store for Business and Education for your employees. |
+| [Apps in the Microsoft Store for Business and Education](apps-in-microsoft-store-for-business.md) | Store for Business and Education has thousands of apps from many different categories. |
+| [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-microsoft-store-for-business.md) | You can acquire apps from the Microsoft Store for Business and Education for your employees. |
| [Working with line-of-business apps](working-with-line-of-business-apps.md) | Your company can make line-of-business (LOB) applications available through Microsoft Store for Business and Education. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry. |
diff --git a/store-for-business/images/msfb-wn-1709-app-request.png b/store-for-business/images/msfb-wn-1709-app-request.png
new file mode 100644
index 0000000000..e454aca9a9
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-app-request.png differ
diff --git a/store-for-business/images/msfb-wn-1709-edge-ext.png b/store-for-business/images/msfb-wn-1709-edge-ext.png
new file mode 100644
index 0000000000..15170ecfc3
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-edge-ext.png differ
diff --git a/store-for-business/images/msfb-wn-1709-my-org.png b/store-for-business/images/msfb-wn-1709-my-org.png
new file mode 100644
index 0000000000..ecb47b6e8a
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-my-org.png differ
diff --git a/store-for-business/images/msfb-wn-1709-o365-csp.png b/store-for-business/images/msfb-wn-1709-o365-csp.png
new file mode 100644
index 0000000000..b51d32923a
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-csp.png differ
diff --git a/store-for-business/images/msfb-wn-1709-o365-prepaid.png b/store-for-business/images/msfb-wn-1709-o365-prepaid.png
new file mode 100644
index 0000000000..9bdb360a31
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-prepaid.png differ
diff --git a/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png
new file mode 100644
index 0000000000..de246824f5
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png differ
diff --git a/store-for-business/images/wsfb-wsappprivatestore.png b/store-for-business/images/wsfb-wsappprivatestore.png
index 9c29e7604c..48d9f79892 100644
Binary files a/store-for-business/images/wsfb-wsappprivatestore.png and b/store-for-business/images/wsfb-wsappprivatestore.png differ
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 47bb90b981..04c5853b52 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -24,9 +24,9 @@ Welcome to the Microsoft Store for Business and Education! You can use Microsoft
| Topic | Description |
| ----- | ----------- |
-| [Sign up and get started](sign-up-windows-store-for-business-overview.md) | IT admins can sign up for the Microsoft Store for Business and Education, and get started working with apps. |
+| [Sign up and get started](sign-up-microsoft-store-for-business-overview.md) | IT admins can sign up for the Microsoft Store for Business and Education, and get started working with apps. |
| [Find and acquire apps](find-and-acquire-apps-overview.md) | Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. |
-| [Manage apps](manage-apps-windows-store-for-business-overview.md) | Manage settings and access to apps in Microsoft Store for Business and Education. |
+| [Manage apps](manage-apps-microsoft-store-for-business-overview.md) | Manage settings and access to apps in Microsoft Store for Business and Education. |
| [Device Guard signing portal](device-guard-signing-portal.md) | Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. |
-| [Manage settings in the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant |
-| [Troubleshoot Microsoft Store for Business and Education](troubleshoot-windows-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |
\ No newline at end of file
+| [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) | You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant |
+| [Troubleshoot Microsoft Store for Business and Education](troubleshoot-microsoft-store-for-business.md) | Troubleshooting topics for Microsoft Store for Business and Education. |
\ No newline at end of file
diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
index e6f9bc8157..d3d4331cc7 100644
--- a/store-for-business/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -19,13 +19,13 @@ author: TrudyHa
You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
-You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Windows Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available.
+You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Microsoft Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available.
-The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
+The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
-
+
-Organizations can use either an MDM policy, or Group Policy to show only their private store in Windows Store.
+Organizations can use either an MDM policy, or Group Policy to show only their private store in Microsoft Store.
## Show private store only using MDM policy
@@ -41,36 +41,27 @@ For more information on configuring an MDM provider, see [Configure an MDM provi
## Show private store only using Group Policy
-If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
+If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
-**Only display the private store within Windows Store app** group policy is supported on the following Windows 10 editions:
+**Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions:
- Enterprise
- Education
-**To show private store only in Windows Store app**
+**To show private store only in Microsoft Store app**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
-3. Right-click **Only display the private store within Windows Store app** in the right pane, and click **Edit**.
+3. Right-click **Only display the private store within Microsoft Store app** in the right pane, and click **Edit**.
- This opens the **Only display the private store within the Windows Store app** policy settings.
+ This opens the **Only display the private store within the Microsoft Store app** policy settings.
-4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**.
-You can also prevent employees from using Windows Store. For more information, see [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store).
+You can also prevent employees from using Microsoft Store. For more information, see [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store).
## Related topics
[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
-[Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store)
-
-
-
-
-
-
-
-
-
+[Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store)
\ No newline at end of file
diff --git a/store-for-business/manage-apps-windows-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
similarity index 73%
rename from store-for-business/manage-apps-windows-store-for-business-overview.md
rename to store-for-business/manage-apps-microsoft-store-for-business-overview.md
index e5c6524871..35ecff646c 100644
--- a/store-for-business/manage-apps-windows-store-for-business-overview.md
+++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
@@ -24,7 +24,7 @@ Manage settings and access to apps in Microsoft Store for Business and Microsoft
| Topic | Description |
| ----- | ----------- |
| [Manage access to private store](manage-access-to-private-store.md) | You can manage access to your private store in Store for Business. |
-| [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. |
+| [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. |
| [Manage private store settings](manage-private-store-settings.md) | The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. |
-| [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
+| [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
\ No newline at end of file
diff --git a/store-for-business/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/manage-orders-windows-store-for-business.md
rename to store-for-business/manage-orders-microsoft-store-for-business.md
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index af833aefb3..8ad01a972f 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -19,9 +19,9 @@ ms.localizationpriority: high
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
-The name of your private store is shown on a tab in Windows Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com).
+The name of your private store is shown on a tab in Microsoft Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com).
-
+
You can change the name of your private store in Microsoft Store.
diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
similarity index 58%
rename from store-for-business/manage-settings-windows-store-for-business.md
rename to store-for-business/manage-settings-microsoft-store-for-business.md
index e30487958f..adac54ffcc 100644
--- a/store-for-business/manage-settings-windows-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@@ -23,7 +23,7 @@ You can add users and groups, as well as update some of the settings associated
| Topic | Description |
| ----- | ----------- |
-| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
-| [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. |
+| [Update Microsoft Store for Business and Education account settings](update-microsoft-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
+| [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. You can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md) and to groups.|
diff --git a/store-for-business/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
similarity index 93%
rename from store-for-business/manage-users-and-groups-windows-store-for-business.md
rename to store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index eb0834b8b6..0a15cf0049 100644
--- a/store-for-business/manage-users-and-groups-windows-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -18,7 +18,7 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
-Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.
+Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups.
## Why Azure AD accounts?
For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and Microsoft Store for Business.
@@ -32,19 +32,10 @@ Azure AD is an Azure service that provides identity and access management capabi
For more information on Azure AD, see [About Office 365 and Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
## Add user accounts to your Azure AD directory
-If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-windows-store-for-business.md)
+If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
You can use the [Office 365 admin dashboard](https://go.microsoft.com/fwlink/p/?LinkId=708616) or [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
For more information, see:
- [Add user accounts using Office 365 admin dashboard](https://go.microsoft.com/fwlink/p/?LinkId=708618)
-- [Add user accounts using Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708619)
-
-
-
-
-
-
-
-
-
+- [Add user accounts using Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708619)
\ No newline at end of file
diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
similarity index 64%
rename from store-for-business/windows-store-for-business-overview.md
rename to store-for-business/microsoft-store-for-business-overview.md
index 0ec624a13e..a7eb6d2051 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -17,47 +17,45 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
-Designed for organizations, Microsoft Store for Business and Microsoft Store for Education gives IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Windows Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Windows Store, or connect with management solutions for more options.
+Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
## Features
-Organizations of any size can benefit from using the Microsoft Store:
+Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
-- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
+- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+- **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
- **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
- **Microsoft Store for Business** – Apps and subscriptions
- **Microsoft Store for Education** – Apps and subscriptions
- **Office 365** – Subscriptions
- **Volume licensing** - Apps purchased with volume licensing
-- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Windows Store app, or with a browser on the Web. People in your organization can download apps from the private store on Windows 10 devices.
+- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
- - Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
+ - Distribute through Microsoft Store services. You can assign apps to individual employees, or make apps available to all employees in your private store.
- Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
- Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
- **Up-to-date apps** - Microsoft Store manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
-- **Office app launcher** Office apps while working with Store for Business.
-- **Find a partner** – Microsoft Store allows businesses to search and find a Microsoft Partner who can assist you with Microsoft solutions for your business.
-
+- **Office app launcher** Office apps while working with Microsoft Store for Business.
+- **Find a partner** – Search and find a Microsoft Partner who can assist you with Microsoft solutions for your business.
## Prerequisites
-You'll need this software to work with the Store for Business.
+You'll need this software to work with Store for Business and Education.
### Required
-- Admins working with Microsoft Store for Business and Education need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
-
-- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+- Admins working with Store for Business and Education need a browser compatible with Microsoft Store running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
+- Employees using apps from Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
Microsoft Azure Active Directory (AD) accounts for your employees:
-- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+- Admins need Azure AD accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Azure AD accounts as part of signing up for Store for Business and Education.
- Employees need Azure AD account when they access Store for Business content from Windows devices.
- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
- For offline-licensed apps, Azure AD accounts are not required for employees.
-- Admins can add or remove user accounts in the Office 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Microsoft Store for Business and Education.
+- Admins can add or remove user accounts in the Office 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education.
For more information on Azure AD, see [About Office 365 and Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
@@ -66,20 +64,19 @@ For more information on Azure AD, see [About Office 365 and Azure Active Directo
While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
- Need to integrate with Windows 10 management framework and Azure AD.
-
- Need to sync with the Store for Business inventory to distribute apps.
-## How does the Store for Business work?
+## How does the Store for Business and Education work?
## Sign up!
-The first step for getting your organization started with the Store for Business is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
+The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
-For more information, see [Sign up for the Store for Business](sign-up-windows-store-for-business.md).
+For more information, see [Sign up for Store for Business and Education](sign-up-microsoft-store-for-business.md).
## Set up
-After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
+After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
| ---------- | ---------------- | ------------ | --------------- | -------------------- |
@@ -89,51 +86,49 @@ After your admin signs up for the Store for Business, they can assign roles to o
| Basic purchaser | | X | X | |
> [!NOTE]
-> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see
+> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business?toc=/microsoft-store/education/toc.json#manage-domain-settings).
-In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-windows-store-for-business.md).
+In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
-Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
+Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with Store for Business and Education.
## Get apps and content
-Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time.
+Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business and Education catalog. Some apps are free,and some apps charge a price. We're continuing to add more paid apps to the Store for Business and Education. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time.
-**App types** -- These app types are supported in the Microsoft Store for Business:
+**App types** - These app types are supported in the Store for Business and Education:
- Universal Windows Platform apps
- Universal Windows apps, by device: Phone, Surface Hub, IOT devices, HoloLens
-Apps purchased from the Store for Business only work on Windows 10 devices.
+Apps purchased from the Store for Business and Education only work on Windows 10 devices.
-Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
+Line-of-business (LOB) apps are also supported through Microsoft Store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization through Store for Business and Education. These apps can be distributed using the distribution methods discussed in this topic. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
**App licensing model**
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+ Store for Business and Education supports two license options for apps: online and offline. **Online** licensing is the default licensing model and is similar to the licensing model for Microsoft Store. Online licensed apps require users and devices to connect to Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt in their apps for offline licensing when they submit them to the developer center.
-For more information, see [Apps in the Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+For more information, see [Apps in Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model).
## Distribute apps and content
-App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
+App distribution is handled through two channels, either through the Microsoft Store for Business, or using a management tool. You can use either, or both distribution methods in your organization.
-**Using the Store for Business** – Distribution options for the Store for Business:
-
-- Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
-- Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+**Distribute with Store for Business and Education**:
+- Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app.
+- Curate private store for all employees – A private store can include content you’ve purchased from Microsoft Store for Business, and your line-of-business apps that you’ve submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
- To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps.
-**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
-
+**Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
- Scoped content distribution – Ability to scope content distribution to specific groups of employees.
- Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
-For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
-## Manage Store for Business settings and content
+## Manage Microsoft Store for Business settings and content
Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
@@ -151,11 +146,11 @@ Once you are signed up with the Business store and have purchased apps, Admins c
- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
- Download apps for offline installs
-For more information, see [Manage settings in the Store for Business](manage-settings-windows-store-for-business.md) and [Manage apps](manage-apps-windows-store-for-business-overview.md).
+For more information, see [Manage settings in the Store for Business](manage-settings-microsoft-store-for-business.md) and [Manage apps](manage-apps-microsoft-store-for-business-overview.md).
## Supported markets
-Microsoft Store for Business and Education is currently available in these markets.
+Store for Business and Education is currently available in these markets.
### Support for free and paid products
@@ -377,24 +372,24 @@ This table summarize what customers can purchase, depending on which Microsoft S
## Privacy notice
-Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+Store for Business and Education services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
- Granting and managing permissions
- Managing app licenses
- Distributing apps to people (names appear in a list that admins can select from)
-Microsoft Store for Business and Education does not save names, or email addresses.
+Store for Business and Education does not save names, or email addresses.
-Your use of Microsoft Store for Business and Education is also governed by the [Microsoft Store for Business and Education Services Agreement](https://businessstore.microsoft.com/servicesagreement).
+Your use of Store for Business and Education is also governed by the [Microsoft Store for Business and Education Services Agreement](https://businessstore.microsoft.com/servicesagreement).
-Information sent to Microsoft Store for Business and Education is subject to the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement/).
+Information sent to Store for Business and Education is subject to the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement/).
-## ISVs and the Store for Business
+## ISVs and Store for Business and Education
-Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
+Developers in your organization, or ISVs can create content specific to your organization. In Store for Business and Education, we call these line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
-- Admin adds the app to Store for Business inventory.
+- Admin adds the app to Microsoft Store for Business or Microsoft Store for Education inventory.
-Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
+Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in Store for Business and Education. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in Store for Business and Education will work only on Windows 10.
For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
diff --git a/store-for-business/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
similarity index 92%
rename from store-for-business/prerequisites-windows-store-for-business.md
rename to store-for-business/prerequisites-microsoft-store-for-business.md
index a07a501b9e..681d4b4a36 100644
--- a/store-for-business/prerequisites-windows-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -21,7 +21,6 @@ There are a few prerequisites for using Microsoft Store for Business or Microsof
## Prerequisites
-
You'll need this software to work with Microsoft Store for Business or Education.
### Required
@@ -45,7 +44,7 @@ While not required, you can use a management tool to distribute and manage apps.
## Proxy configuration
-If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Windows Store app and Microsoft Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs:
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
new file mode 100644
index 0000000000..869d8d89db
--- /dev/null
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -0,0 +1,22 @@
+---
+title: Whats new in Microsoft Store for Business and Education
+description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.date: 09/21/2017
+---
+
+# Microsoft Store for Business and Education release history
+
+Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases.
+
+Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
+
+## August 2017
+These items were released or updated in August, 2017.
+
+- **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
+- **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
\ No newline at end of file
diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
similarity index 98%
rename from store-for-business/roles-and-permissions-windows-store-for-business.md
rename to store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 00de7300ea..14a0ed1d6f 100644
--- a/store-for-business/roles-and-permissions-windows-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -91,5 +91,5 @@ These permissions allow people to:
-4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md).
+4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
similarity index 80%
rename from store-for-business/settings-reference-windows-store-for-business.md
rename to store-for-business/settings-reference-microsoft-store-for-business.md
index 6d5922b831..a0c708802f 100644
--- a/store-for-business/settings-reference-windows-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -22,14 +22,14 @@ The Microsoft Store for Business and Education has a group of settings that admi
| Setting | Description | Location under **Manage** |
| ------- | ----------- | ------------------------------ |
-| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md).| **Billing - Account profile** |
-| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
+| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md).| **Billing - Account profile** |
+| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
-| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-windows-store-for-business.md). | **Settings - Distribute** |
-| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Settings - Distribute** |
+| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** |
-| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
+| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index ed0904b3ee..924e399afb 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -18,12 +18,20 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
+## September 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | New |
+| [App requests](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) | New |
+| [Settings reference: Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) and [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-microsoft-store-for-business-account-settings.md) | Updates for UI changes in **Settings**. |
+
## July 2017
| New or changed topic | Description |
| --- | --- |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
-
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
## June 2017
| New or changed topic | Description |
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index 09775ac8fe..3eb56c3155 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -25,7 +25,7 @@ Before you get started, be sure to review these best practices:
**Best practices**
- Test your code integrity policies on a group of devices before deploying them to a large group of devices.
-- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
+- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
**To sign a code integrity policy**
diff --git a/store-for-business/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
similarity index 100%
rename from store-for-business/sign-up-windows-store-for-business-overview.md
rename to store-for-business/sign-up-microsoft-store-for-business-overview.md
diff --git a/store-for-business/sign-up-windows-store-for-business.md b/store-for-business/sign-up-microsoft-store-for-business.md
similarity index 97%
rename from store-for-business/sign-up-windows-store-for-business.md
rename to store-for-business/sign-up-microsoft-store-for-business.md
index cd3f6bd322..22cc99dd2f 100644
--- a/store-for-business/sign-up-windows-store-for-business.md
+++ b/store-for-business/sign-up-microsoft-store-for-business.md
@@ -87,8 +87,8 @@ Before signing up for Microsoft Store, make sure you're the global administrator
After signing up for Microsoft Store for Business or Microsoft Store for Education, you can:
-- **Add users to your Azure AD directory**. If you created your Azure AD directory during sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store in Store app. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md).
-- **Assign roles to employees**. For more information, see [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md).
+- **Add users to your Azure AD directory**. If you created your Azure AD directory during sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store in Store app. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
+- **Assign roles to employees**. For more information, see [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md).
diff --git a/store-for-business/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
similarity index 62%
rename from store-for-business/troubleshoot-windows-store-for-business.md
rename to store-for-business/troubleshoot-microsoft-store-for-business.md
index 2443391b42..9e55e0279f 100644
--- a/store-for-business/troubleshoot-windows-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -20,13 +20,13 @@ ms.localizationpriority: high
Troubleshooting topics for Microsoft Store for Business.
## Can't find apps in private store
-The private store for your organization is a page in the Windows Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
-- **No apps in the private store** - The private store page is only available in the Windows Store app if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on the **Inventory** page. If the status is **Add in progress**, wait and check back.
+The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
+- **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back.
- **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account.
-**To sign in with organization account in Windows Store app**
+**To sign in with organization account in Microsoft Store app**
-1. Click the people icon in Windows Store app, and click **Sign in**.
+1. Click the people icon in Microsoft Store app, and click **Sign in**.
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
similarity index 82%
rename from store-for-business/update-windows-store-for-business-account-settings.md
rename to store-for-business/update-microsoft-store-for-business-account-settings.md
index 951212afbd..8e1912c39e 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -28,10 +28,10 @@ Before purchasing apps that have a fee, you need to add or update your organizat
We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase.
-We need an email address in case we need to contact you about your Microsoft Store for Business and Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store.
+We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store.
**To update Organization information**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com)
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**.
## Organization tax information
@@ -86,7 +86,7 @@ These countries can provide their VAT number or local equivalent in **Payments &
If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization.
**To start a service request**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**.
You’ll need this documentation:
@@ -119,14 +119,14 @@ You can purchase apps from Microsoft Store for Business using your credit card.
5. Japan Commercial Bureau (JCB)
> [!NOTE]
-> Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
+> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
**To add a new payment option**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, click **Billing**, and then click **Payments methods**.
+2. Click **Manage**, click **Billing**, and then click **Payments methods**.
3. Click **Add a payment options**, and then select the type of credit card that you want to add.
-4. Add information to any required fields, and then click **Next**.
+4. Add information to required fields, and then click **Next**.
Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
@@ -135,7 +135,7 @@ Once you click Next, the information you provided will be validated with a tes
**To update a payment option**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, click **Billing**, and then click **Payments methods**.
3. Select the payment option that you want to update, and then click **Update**.
4. Enter any updated information in the appropriate fields, and then click **Next**.
@@ -146,17 +146,17 @@ Once you click **Next**, the information you provided will be validated with a
## Offline licensing
-Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on Microsoft Store for Business licensing model, see [licensing model](https://docs.microsoft.com/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).
Admins can decide whether or not offline licenses are shown for apps in Microsoft Store.
**To set offline license visibility**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Settings - Shop**.
3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps.
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.
-For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md).
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md).
\ No newline at end of file
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
new file mode 100644
index 0000000000..14bce10791
--- /dev/null
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -0,0 +1,35 @@
+---
+title: Whats new in Microsoft Store for Business and Education
+description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.date: 10/04/2017
+---
+
+# What's new in Microsoft Store for Business and Education
+
+Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today.
+
+## Latest updates for Store for Business and Education
+
+| | |
+|-----------------------|---------------------------------|
+| | **Manage Windows device deployment with Windows AutoPilot Deployment**
In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.
[Get more info](add-profile-to-devices.md)
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Request an app**
People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.
[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**My organization**
**My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Manage prepaid Office 365 subscriptions**
Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Manage Office 365 subscriptions acquired by partners**
Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Edge extensions in Microsoft Store**
Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Search results in Microsoft Store for Business**
Search results now have sub categories to help you refine search results.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+
+
\ No newline at end of file
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 87dc16ae0e..a2b30517f7 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -19,29 +19,23 @@ ms.localizationpriority: high
Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
-Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in the Store, and then can be managed or deployed using the same process as any other app that has been acquired through the Store.
+Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in Microsoft Store, and then can be managed or deployed using the same process as any other app that has been acquired through Microsoft Store.
-One advantage of making apps available through Microsoft Store is that the app has been signed by the Store, and uses the standard Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](https://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported in Windows 10.
+One advantage of making apps available through Microsoft Store for Business is that the app has been signed by Microsoft Store, and uses the standard Microsoft Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](https://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported on Windows 10.
## Adding LOB apps to your private store
-Admins and ISVs each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees or students. Admins use the Store for Business portal; ISVs or devs use the Windows Dev center on MSDN.
+Admins and ISVs each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees or students. Admins use Microsoft Store for Business or Microsoft Store for Education portal; ISVs or devs use the Windows Dev center on MSDN.
Here’s what’s involved:
-
-- The Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
-
-- LOB publisher develops and submits app to the Store, tagging the app so it is only available to your company.
-
-- The Store for Business admin accepts the app and can distribute the app to employees in your company.
+- Microsoft Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
+- LOB publisher develops and submits app to Microsoft Store, tagging the app so it is only available to your company.
+- Microsoft Store for Business admin accepts the app and can distribute the app to employees in your company.
You'll need to set up:
-
- Your company needs to be signed up with Microsoft Store for Business or Microsoft Store for Education.
-
- LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](https://go.microsoft.com/fwlink/p/?LinkId=623432).
-
-- LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
+- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
## Add an LOB publisher (Admin)
@@ -49,7 +43,7 @@ Admins need to invite developer or ISVs to become an LOB publisher.
**To invite a developer to become an LOB publisher**
-1. Sign in to the [Microsoft Store for Business]( https://go.microsoft.com/fwlink/p/?LinkId=623531).
+1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
>[!Note]
@@ -84,7 +78,7 @@ After an app is published and available in the Store, ISVs publish an updated ve
For more information, see [Organizational licensing options]( https://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](https://go.microsoft.com/fwlink/p/?LinkId=627543).
>[!Note]
- > In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
+ > In order to get the LOB app, the organization must be located in a [supported market](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
## Add app to inventory (admin)
@@ -92,25 +86,12 @@ After an ISV submits the LOB app for your company or school, someone with Micros
**To add the LOB app to your inventory**
-1. Sign in to the Store for Business.
-2. Click **Manage**, click **Apps & Software**, and then choose **New LOB apps**.
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
+2. Click **Manage**, click **Products & services**, and then choose **New LOB apps**.
3. Click the ellipses under **Action** for the app you want to add to your inventory, and then choose **Add to inventory**.
After you add the app to your inventory, you can choose how to distribute the app. For more information, see:
-
-- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
-
+- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md)
- [Distribute apps from your private store](distribute-apps-from-your-private-store.md)
-
- [Assign apps to employees](assign-apps-to-employees.md)
-
-- [Distribute offline apps](distribute-offline-apps.md)
-
-
-
-
-
-
-
-
-
+- [Distribute offline apps](distribute-offline-apps.md)
\ No newline at end of file
diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md
index 7dbb46c015..acb2519e1d 100644
--- a/windows/access-protection/TOC.md
+++ b/windows/access-protection/TOC.md
@@ -69,7 +69,7 @@
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
-### [Isolating Windows Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
+### [Isolating Microsoft Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
diff --git a/windows/access-protection/access-control/microsoft-accounts.md b/windows/access-protection/access-control/microsoft-accounts.md
index 01efb97d0a..3a5b9f595e 100644
--- a/windows/access-protection/access-control/microsoft-accounts.md
+++ b/windows/access-protection/access-control/microsoft-accounts.md
@@ -20,7 +20,7 @@ When a user signs in with a Microsoft account, the device is connected to cloud
## How a Microsoft account works
-The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
+The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@@ -70,13 +70,13 @@ Users can add security information to their Microsoft accounts through the **Acc
Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
-- **Download Windows Store apps**:
+- **Download Microsoft Store apps**:
- If your enterprise chooses to distribute software through the Windows Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
+ If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
- **Single sign-on**:
- Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Windows Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Windows Store apps or websites, so that these credentials roam across any devices running these supported versions.
+ Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions.
- **Personalized settings synchronization**:
@@ -84,7 +84,7 @@ Although the Microsoft account was designed to serve consumers, you might find s
- **App synchronization**:
- Windows Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
+ Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
- **Integrated social media services**:
diff --git a/windows/access-protection/hello-for-business/hello-how-it-works.md b/windows/access-protection/hello-for-business/hello-how-it-works.md
index c5d6ce9420..f868232fce 100644
--- a/windows/access-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/access-protection/hello-for-business/hello-how-it-works.md
@@ -71,7 +71,7 @@ Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protect
When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
For example, the authentication process for Azure Active Directory works like this:
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 084999e656..84044525a4 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -20,7 +20,7 @@ ms.date: 09/08/2017
[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
-## Directory Syncrhonization
+## Directory Synchronization
>[!IMPORTANT]
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
index bd3429561c..db7db4d2f5 100644
--- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
@@ -301,7 +301,7 @@ There are three scenarios for using Windows Hello for Business in Azure AD–onl
- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
-If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager Technical Preview, Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
+If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
@@ -316,4 +316,4 @@ If you want to use Windows Hello for Business with certificates, you’ll need a
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 1d95c44fb4..345d436c6b 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -109,4 +109,4 @@ If you only had a biometric sign-in configured and, for any reason, were unable
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=hello-why-pin-is-better-than-password.md).
\ No newline at end of file
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 4ff1788ca5..5fbf99a89e 100644
--- a/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -68,7 +68,7 @@ To verify authorship of data, a user can sign it by using a private key that is
## New and changed functionality as of Windows 8.1
-Enhancements in Windows 8.1 enabled developers to build Windows Store apps to create and manage virtual smart cards.
+Enhancements in Windows 8.1 enabled developers to build Microsoft Store apps to create and manage virtual smart cards.
The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards.
@@ -92,9 +92,9 @@ Starting with Windows 8.1, application developers can build into their apps the
**What works differently?**
-Starting with Windows 8.1, Windows Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
+Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
-For more information about developing Windows Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
+For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 6dfa73df29..133ed7ba13 100644
--- a/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -40,9 +40,9 @@ Virtual smart cards can also be created and deleted by using APIs. For more info
- [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx)
-You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
+You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
-The following table describes the features that can be developed in a Windows Store app:
+The following table describes the features that can be developed in a Microsoft Store app:
| Feature | Physical Smart Card | Virtual Smart Card |
|----------------------------------------------|---------------------|--------------------|
diff --git a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
index a488a96fe2..182f3bb99e 100644
--- a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -1,6 +1,6 @@
---
-title: Isolating Windows Store Apps on Your Network (Windows 10)
-description: Isolating Windows Store Apps on Your Network
+title: Isolating Microsoft Store Apps on Your Network (Windows 10)
+description: Isolating Microsoft Store Apps on Your Network
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,19 +8,19 @@ ms.pagetype: security
author: brianlic-msft
---
-# Isolating Windows Store Apps on Your Network
+# Isolating Microsoft Store Apps on Your Network
**Applies to**
- Windows 10
- Windows Server 2016
-When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
+When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
-When creating new Windows Store apps, a developer can define the following network capabilities for their app:
+When creating new Microsoft Store apps, a developer can define the following network capabilities for their app:
- **Home\\Work Networking**
@@ -40,7 +40,7 @@ When creating new Windows Store apps, a developer can define the following netwo
**In this topic**
-To isolate Windows Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Windows Store app firewall rules.
+To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules.
- [Prerequisites](#prerequisites)
@@ -52,16 +52,16 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- A domain controller is installed on your network, and your devices are joined to the Windows domain.
-- Your Windows Store app is installed on the client device.
+- Your Microsoft Store app is installed on the client device.
-- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Defender Firewall rules.
+- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
>**Note:** You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
## Step 1: Define your network
-The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Windows Store apps can access intranet resources appropriately.
+The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately.
A network endpoint is considered part of the **Home\\Work Network** if:
@@ -111,7 +111,7 @@ All other endpoints that do not meet the previously stated criteria are consider
## Step 2: Create custom firewall rules
-Windows Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
+Microsoft Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
The following table provides a complete list of the possible app capabilities.
@@ -134,7 +134,7 @@ The following table provides a complete list of the possible app capabilities.
| **Webcam** | webcam| Provides access to the webcam's video feed.|
| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.|
-You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
+You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Microsoft Store app.
For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
@@ -180,7 +180,7 @@ For example, you could create a Windows Defender Firewall policy to block Intern
19. Click **Apply to application packages only**, and then click **OK**.
- >**Important:** You must do this to ensure that the rule applies only to Windows Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
+ >**Important:** You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
20. Click **OK** to close the **Properties** dialog box.
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 2d55ec35a7..4daee49e8a 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -48,10 +48,10 @@ You can use the deployment goals to form one of these Windows Defender Firewall
In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide.
-You can find the Windows Defender Firewal with Advanced Security
+You can find the Windows Defender Firewall with Advanced Security
Deployment Guide at these locations:
-- (Web page)
+- [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
- (Downloadable Word document)
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
index cb9ac4105d..d21a434151 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -36,7 +36,7 @@ To help address your organizational network security challenges, Windows Defende
| Topic | Description
| - | - |
-| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
+| [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. |
| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
index 35f3b14372..5adf6e1def 100644
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@@ -1,6 +1,7 @@
# [Manage applications in Windows 10](index.md)
## [Sideload apps](sideload-apps-in-windows-10.md)
## [Remove background task resource restrictions](enterprise-background-activity-controls.md)
+## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md)
## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md)
### [Getting Started with App-V](app-v/appv-getting-started.md)
#### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md)
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index 3aca385415..a8a4c9a073 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -1,20 +1,26 @@
---
-title: Change history for Configure Windows 10 (Windows 10)
+title: Change history for Application management in Windows 10 (Windows 10)
description: This topic lists changes to documentation for configuring Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: high
+ms.localizationpriority: medium
author: jdeckerms
-ms.date: 09/15/2017
+ms.date: 10/17/2017
---
-# Change history for Configure Windows 10
+# Change history for Application management in Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topic has been added:
+
+- [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md)
+
## September 2017
| New or changed topic | Description |
| --- | --- |
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 238dc36fc2..48e61b947d 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -59,5 +59,6 @@ The Universal Windows Platform ensures that consumers will have great battery li
## See also
-[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
+- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly)
+- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
[Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity)
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index b42c674d12..e96291a634 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -21,6 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
|---|---|
|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. |
+| [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Learn how to enable or block Windows Mixed Reality apps. |
|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 |
|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
new file mode 100644
index 0000000000..69313ce229
--- /dev/null
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -0,0 +1,87 @@
+---
+title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10)
+description: Learn how to enable or block Windows Mixed Reality apps.
+keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+author: jdeckerms
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# Enable or block Windows Mixed Reality apps in the enterprise
+
+**Applies to**
+
+- Windows 10
+
+Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block).
+
+
+
+## Enable Windows Mixed Reality in WSUS
+
+To enable users to download the Windows Mixed Reality software, enterprises using WSUS can approve Windows Mixed Reality package by unblocking the following KBs:
+
+- KB4016509
+- KB3180030
+- KB3197985
+
+Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software:
+
+- Manually install the Mixed Reality software
+- IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx)
+
+
+
+## Block the Mixed Reality Portal
+
+You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.
+
+In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+
+```xml
+
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
+ <BinaryVersionRange LowSection="*" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ </RuleCollection>>
+
+
+
+
+
+
+
+```
+
+
+## Related topics
+
+- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
\ No newline at end of file
diff --git a/windows/application-management/media/user-service-flag.png b/windows/application-management/media/user-service-flag.png
new file mode 100644
index 0000000000..56e03d1bc5
Binary files /dev/null and b/windows/application-management/media/user-service-flag.png differ
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index f784c78af2..f1dbb4f189 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -19,10 +19,10 @@ Per-user services are services that are created when a user signs into Windows o
> [!NOTE]
> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services.
-You can configure the template service to create per-user services in a stopped and disabled state by setting the template service's **Startup Type** to **Disabled**.
+You can set the template service's **Startup Type** to **Disabled** to create per-user services in a stopped and disabled state.
> [!IMPORTANT]
-> Carefully test any changes to the template service's Startup Type before deploying in production.
+> Carefully test any changes to the template service's Startup Type before deploying to a production environment.
Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server).
@@ -131,13 +131,17 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
### Managing Template Services with regedit.exe
-If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example:
+If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
> [!CAUTION]
> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution.
+Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
+
+
+
### Manage template services by modifying the Windows image
If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process.
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index 457e51889a..cc7f5fb34a 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -16,6 +16,11 @@ ms.date: 06/13/2017
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
+
+
## July 2017
| New or changed topic | Description |
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 43db69d30f..6b56d24b8f 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -8,6 +8,8 @@ ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
---
# Connect to remote Azure Active Directory-joined PC
@@ -23,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
-- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
@@ -33,7 +35,13 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
>[!NOTE]
- >You cannot specify individual Azure AD accounts for remote connections.
+ >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
+ >
+ >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`
+ >
+ >In Windows 10, version 1709, the user does not have to sign in to the remote device first.
+ >
+ >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index ff39d3cc04..f884fd5a2e 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -27,7 +27,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
-| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
+| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 3536562d23..588cc4a26f 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -34,7 +34,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e
- Enable enterprise roaming of settings. (Not currently supported but on roadmap)
-- Use Windows Store for Business to target applications to users.
+- Use Microsoft Store for Business to target applications to users.
## Are you upgrading current devices to Windows 10 Mobile?
@@ -58,7 +58,7 @@ Even though Azure AD Join on Windows 10 Mobile provides the best overall experi
- You can add access to Azure AD-backed resources on the device without resetting the device.
-However, neither of these methods provides SSO in the Windows Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
+However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
@@ -188,10 +188,10 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo
-## Use Windows Store for Business
+## Use Microsoft Store for Business
-[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
+[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Microsoft Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 78ca7c8d39..f946781086 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -27,7 +27,7 @@ You can use the same management tools to manage all device types running Windows
| --- | --- |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment |
| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
-| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
+| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start |
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 396ee16956..34b1af8c9f 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -38,7 +38,7 @@ Windows 10 offers a range of management options, as shown in the following diagr
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index e02d2d3e65..3571ec64d7 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -168,4 +168,4 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=mandatory-user-profile.md).
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 947ffa3bac..623210a376 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -2,6 +2,7 @@
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
+### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 2737a54616..5ab0e0ff0b 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider.
**ApplicationLaunchRestrictions**
Defines restrictions for applications.
-> **Note**
+> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
@@ -120,7 +120,7 @@ In addition, each **Grouping** node contains one or more of the following nodes:
StoreApps
-
Defines restrictions for running apps from the Windows Store.
+
Defines restrictions for running apps from the Microsoft Store.
Supported operations are Get, Add, Delete, and Replace.
@@ -571,6 +571,10 @@ The following list shows the apps that may be included in the inbox.
906beeda-b7e6-4ddc-ba8d-ad5031223ef9
906beeda-b7e6-4ddc-ba8d-ad5031223ef9
+
+
Mixed Reality Portal
+
+
Microsoft.Windows.HolographicFirstRun
Money
1e0440f1-7abf-4b9a-863d-177970eefb5e
@@ -856,6 +860,47 @@ The following example blocks the usage of the map application.
```
+The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+
+```xml
+
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
+ <BinaryVersionRange LowSection="*" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ </RuleCollection>>
+
+
+
+
+
+
+
+```
+
The following example for Windows 10 Mobile denies all apps and allows the following apps:
- [settings app that rely on splash apps](#settingssplashapps)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 2e6580c656..bd4a538872 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/03/2017
---
# AssignedAccess CSP
@@ -19,16 +19,17 @@ The AssignedAccess configuration service provider (CSP) is used set the device t
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
-> **Note** The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro.
+> [!Note]
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
The following diagram shows the AssignedAccess configuration service provider in tree format
-**./Vendor/MSFT/AssignedAccess**
+**./Device/Vendor/MSFT/AssignedAccess**
Root node for the CSP.
-**AssignedAccess/KioskModeApp**
+**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
@@ -49,7 +50,7 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
-**AssignedAccess/Configuration**
+**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Enterprises can use this to easily configure and manage the curated lockdown experience.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index ff8c33aa7e..fd5460395b 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2537,6 +2537,7 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
- [ActiveSync CSP](activesync-csp.md)
- [APPLICATION CSP](application-csp.md)
- [AppLocker CSP](applocker-csp.md)
+- [AssignedAccess CSP](assignedaccess-csp.md)
- [BOOTSTRAP CSP](bootstrap-csp.md)
- [CellularSettings CSP](cellularsettings-csp.md)
- [CertificateStore CSP](certificatestore-csp.md)
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 1edda04b19..68de7f9bb2 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -230,11 +230,11 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
+
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
+
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
+
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 562f8b5117..684988216b 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -37,17 +37,17 @@ Returns the versions of all configuration service providers supported on the dev
Added in Windows 10, version 1709. Interior node.
**Provider/_ProviderID_**
-Added in Windows 10, version 1709. Provider ID of the configuration source.
+Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
**Provider/_ProviderID_/ConfigInfo**
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
-The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
+ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
**Provider/_ProviderID_/EnrollmentInfo**
-Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
+Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It is readable by MDM server during sync session.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
new file mode 100644
index 0000000000..268ff5b5ee
--- /dev/null
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -0,0 +1,121 @@
+---
+title: Enroll a Windows 10 device automatically using Group Policy
+description: Enroll a Windows 10 device automatically using Group Policy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 10/02/2017
+---
+
+# Enroll a Windows 10 device automatically using Group Policy
+
+Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices.
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured
+- Enterprise AD must be registered with Azure AD
+
+> [!Tip]
+> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+
+To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
+
+Here is a partial screenshot of the result:
+
+
+
+The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
+
+> [!Note]
+> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
+
+When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+
+In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
+
+For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
+
+## Configure the auto-enrollment Group Policy for a single PC
+
+This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured
+- Enterprise AD must be registered with Azure AD
+
+1. Run GPEdit.msc
+
+ Click Start, then in the text box type gpedit.
+
+ 
+
+2. Under **Best match**, click **Edit group policy** to launch it.
+
+3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
+
+ 
+
+4. Double-click **Auto MDM Enrollment with AAD Token**.
+
+ 
+
+5. Click **Enable**, then click **OK**.
+
+ A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
+
+ To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+
+ If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
+
+ 
+
+6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
+
+7. Click **Info** to see the MDM enrollment information.
+
+ 
+
+ If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
+
+
+### Task Scheduler app
+
+1. Click **Start**, then in the text box type **task scheduler**.
+
+ 
+
+2. Under **Best match**, click **Task Scheduler** to launch it.
+
+3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
+
+ 
+
+ To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
+
+ If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
+
+## Configure the auto-enrollment for a group of devices
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured (with Intune or a third party service provider)
+- Enterprise AD must be integrated with Azure AD.
+- Ensure that PCs belong to same computer group.
+
+1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**.
+2. Create a Security Group for the PCs.
+3. Link the GPO.
+4. Filter using Security Groups.
+5. Enforce a GPO link
+
+### Related topics
+
+- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
+- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx)
+- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx)
+- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx)
+- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx)
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index fd6c08650e..f210212445 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -31,8 +31,8 @@ Windows 10 offers the ability for management servers to:
Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
-- Store - Apps that are from the Windows Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
-- nonStore - Apps that were not acquired from the Windows Store.
+- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
+- nonStore - Apps that were not acquired from the Microsoft Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
@@ -151,9 +151,9 @@ There are two basic types of apps you can deploy: Store apps and enterprise sign
### Unlock the device for non-Store apps
-To deploy app that are not from the Windows Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
+To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
-The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Windows Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
+The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@@ -189,7 +189,7 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
-AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Windows Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
+AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
@@ -225,19 +225,19 @@ Here is an example.
## Install your apps
-You can install apps to a specific user or to all users of a device. Apps are installed directly from the Windows Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
+You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
-To deploy an app to a user directly from the Windows Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
+To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
-If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Windows Store.
+If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
-- The device requires connectivity to the Windows Store.
-- Windows Store services must be enabled on the device. Note that the UI for the Windows Store can be disabled by the enterprise admin.
+- The device requires connectivity to the Microsoft Store.
+- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their AAD identity.
Here are some examples.
@@ -303,7 +303,7 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Windows Store, store services, or the have the Windows Store UI be enabled.
+- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
- The user must be logged in, but association with AAD identity is not required.
> **Note** You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
@@ -420,7 +420,7 @@ Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Windows Store, or store services enabled.
+- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
- The device does not need any AAD identity or domain membership.
- For nonStore app, your device must be unlocked.
- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
@@ -584,8 +584,8 @@ The Data field value of 0 (zero) indicates sucess, otherwise it is an error code
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
-- AppStore - These apps are for the Windows Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
-- nonStore - These apps that were not acquired from the Windows Store.
+- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
+- nonStore - These apps that were not acquired from the Microsoft Store.
- System - These apps are part of the OS. You cannot uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name.
@@ -717,7 +717,7 @@ Apps installed on a device can be updated using the management server. Apps can
### Update apps directly from the store
-To update an app from Windows Store, the device requires contact with the store services.
+To update an app from Microsoft Store, the device requires contact with the store services.
Here is an example of an update scan.
@@ -760,7 +760,7 @@ A provisioned app automatically updates when an app update is sent to the user.
You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
-Turning off updates only applies to updates from the Windows Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
+Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
Here is an example.
@@ -821,7 +821,7 @@ Here is an example.
### Restrict AppData to the system volume
-In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Windows Store app to the system volume, regardless of where the package is installed or moved.
+In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
> **Note** The feature is only for Windows 10 Mobile.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index f8a14b5289..42aced1bad 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -68,8 +68,8 @@ The following image shows the EnterpriseModernAppManagement configuration servic
- PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall.
- RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
- - AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Microsoft Store for Business.
- - nonStore - This classification is for apps that were not acquired from the Windows Store.
+ - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
+ - nonStore - This classification is for apps that were not acquired from the Microsoft Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:
@@ -163,7 +163,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
````
**AppManagement/nonStore**
-
Used to manage enterprise apps or developer apps that were not acquired from the Windows Store.
+
Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store.
Supported operation is Get.
@@ -173,7 +173,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
Supported operation is Get.
**AppManagement/AppStore**
-
Required. Used for managing apps from the Windows Store.
+
Required. Used for managing apps from the Microsoft Store.
Supported operations are Get and Delete.
@@ -372,7 +372,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
**AppInstallation/*PackageFamilyName*/StoreInstall**
-
Required. Command to perform an install of an app and a license from the Windows Store.
+
Required. Command to perform an install of an app and a license from the Microsoft Store.
Supported operation is Execute, Add, Delete, and Get.
@@ -438,7 +438,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
- Unknown - unknown license category
-- Retail - license sold through retail channels, typically from the Windows Store
+- Retail - license sold through retail channels, typically from the Microsoft Store
- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
- OEM - license issued to an OEM
- Developer - developer license, typically installed during the app development or side-loading scernarios.
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index ea9ebb3cb7..99740e166c 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -193,7 +193,7 @@ The following diagram shows the Firewall configuration service provider in tree
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/FilePath**
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 7a8de5174f..72944197b3 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1341,7 +1341,7 @@ ServiceName
- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+ PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
diff --git a/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png
new file mode 100644
index 0000000000..ba16fbcd27
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-device-status.png b/windows/client-management/mdm/images/autoenrollment-device-status.png
new file mode 100644
index 0000000000..67072b0da7
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-device-status.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-gpedit.png b/windows/client-management/mdm/images/autoenrollment-gpedit.png
new file mode 100644
index 0000000000..e863dfc945
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-gpedit.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-mdm-policies.png b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png
new file mode 100644
index 0000000000..29cb6d14da
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-policy.png b/windows/client-management/mdm/images/autoenrollment-policy.png
new file mode 100644
index 0000000000..f9bb009514
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-policy.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-scheduled-task.png b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png
new file mode 100644
index 0000000000..bfa805bfbd
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-settings-work-school.png b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png
new file mode 100644
index 0000000000..31fb7a400a
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png
new file mode 100644
index 0000000000..56f071dcda
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index df8aa48b95..c8db9ee059 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png
new file mode 100644
index 0000000000..c75d6ca38f
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png
new file mode 100644
index 0000000000..bf44fb2d97
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png
new file mode 100644
index 0000000000..66c6b0ee19
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png
new file mode 100644
index 0000000000..cd28d561d8
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png
new file mode 100644
index 0000000000..48025064e0
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png
new file mode 100644
index 0000000000..8fbb961540
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png
new file mode 100644
index 0000000000..a3e3fe20d2
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png
new file mode 100644
index 0000000000..304bf8aa0b
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png
new file mode 100644
index 0000000000..5ed04fb4a2
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png differ
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 02d281e49f..90364628ea 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -21,8 +21,8 @@ Here's the list of the available capabilities:
- Support for enterprise identities – Enables end users within an organization to use the identity that has been provided to them within the organization. This enables an organization to retain control of the application and eliminates the need for an organization to maintain another set of identities for their users.
- Bulk acquisition support of applications – Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually.
-- License reclaim and re-use – Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Windows Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application.
-- Flexible distribution models for Windows Store apps – Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
+- License reclaim and re-use – Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application.
+- Flexible distribution models for Microsoft Store apps – Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
- Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices.
@@ -45,7 +45,7 @@ The Store for Business provides services that enable a management tool to synchr
Licensing models
Offline vs. Online
-
Online-licensed applications require connectivity to the Windows Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Windows Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
+
Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index af2ac59df8..583f8d769c 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 09/19/2017
---
# MDM enrollment of Windows-based devices
@@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You
### Using the Settings app
-1. Launch the Settings app.
+1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts**
- 
+ 
-2. Next, navigate to **Accounts**.
+2. Navigate to **Access work or school**.
- 
+ 
-3. Navigate to **Access work or school**.
+3. Click **Connect**.
- 
+ 
-4. Click **Connect**.
+4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
- 
+ 
-5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
-
- 
-
-6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
+5. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
+ Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
+
-7. After you complete the flow, your Microsoft account will be connected to your work or school account.
+6. After you complete the flow, your Microsoft account will be connected to your work or school account.
@@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
- Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
+ Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
+
+ 
After you complete the flow, your device will be connected to your organization’s MDM.
-
- 
+
### Connecting to MDM on a phone (Enrolling in device management)
@@ -298,12 +297,12 @@ The deep link used for connecting your device to work will always use the follow
| Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm” |
-|Username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
-| Servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
-| Accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
-| Deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID |
-| Tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
-| Ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 |
+|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
+| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
+| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
+| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID |
+| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
+| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 |
### Connecting to MDM using a deep link
@@ -311,6 +310,7 @@ The deep link used for connecting your device to work will always use the follow
When connecting to MDM using a deep link, the URI you should use is
**ms-device-enrollment:?mode=mdm**
+**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=https://example.server.com**
The following procedure describes how users can connect their devices to MDM using deep links.
@@ -343,16 +343,7 @@ The following procedure describes how users can connect their devices to MDM usi
Your work or school connections can be managed on the **Settings** > **Accounts** > **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection.
-
-
-### Manage
-
-The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios:
-
-- Connecting your device to an Azure AD domain
-- Connecting to a work or school account.
-
-Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser.
+
### Info
@@ -364,7 +355,12 @@ The **Info** button can be found on work or school connections involving MDM. Th
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
-
+Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
+
+
+
+> [!Note]
+> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
### Disconnect
@@ -375,16 +371,14 @@ The **Disconnect** button can be found on all work connections. Generally, click
> **Warning** Disconnecting might result in the loss of data on the device.
-
-
-
-
## Collecting diagnostic logs
You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files.
-
+Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot.
+
+
@@ -392,4 +386,3 @@ You can collect diagnostic logs around your work connections by going to **Setti
-
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 18854315f9..e9c457174a 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/02/2017
---
# What's new in MDM enrollment and management
@@ -1000,8 +1000,21 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added new policies.
-
Microsoft Store for Business
-
Windows Store for Business name changed to Microsoft Store for Business.
+
Microsoft Store for Business and Microsoft Store
+
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+
+
[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
+
New features in the Settings app:
+
+
User sees installation progress of critical policies during MDM enrollment.
+
User knows what policies, profiles, apps MDM has configured
+
IT helpdesk can get detailed MDM diagnostic information using client tools
+
+
For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)
+
+
+
[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
+
Added new topic to introduce a new Group Policy for automatic MDM enrollment.
@@ -1149,7 +1162,7 @@ The software version information from **DevDetail/SwV** does not match the versi
To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list.
-- Some apps (specifically those that are published in Windows Store as AppX Bundles) are blocked from installing even when they are included in the app list.
+- Some apps (specifically those that are published in Microsoft Store as AppX Bundles) are blocked from installing even when they are included in the app list.
No workaround is available at this time. An OS update to fix this issue is coming soon.
@@ -1384,8 +1397,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
-
Microsoft Store for Business
-
Windows Store for Business name changed to Microsoft Store for Business.
+
Microsoft Store for Business and Microsoft Store
+
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)
@@ -1401,9 +1414,24 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[EntepriseAPN CSP](enterpriseapn-csp.md)
Added a SyncML example.
+
[VPNv2 CSP](vpnv2-csp.md)
Added RegisterDNS setting in Windows 10, version 1709.
+
+
[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
+
Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+
+
+
[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
+
New features in the Settings app:
+
+
User sees installation progress of critical policies during MDM enrollment.
+
User knows what policies, profiles, apps MDM has configured
+
IT helpdesk can get detailed MDM diagnostic information using client tools
+
+
For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index f0b176f45a..1d7f9a2f02 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -458,6 +458,9 @@ The following diagram shows the Policy configuration service provider in tree fo
System/TelemetryProxy
@@ -3094,7 +3070,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
-- [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols)
- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
@@ -3152,11 +3127,9 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode)
- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
-- [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone)
- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
@@ -3168,7 +3141,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe)
- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
@@ -3286,13 +3258,11 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains)
- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter)
- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
@@ -3309,10 +3279,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols)
- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe)
-- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe)
- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 7953580ab4..a5815c7d3e 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -92,7 +92,7 @@ ms.date: 09/29/2017
-
Specifies whether non Windows Store apps are allowed.
+
Specifies whether non Microsoft Store apps are allowed.
The following list shows the supported values:
@@ -141,7 +141,7 @@ ms.date: 09/29/2017
-
Specifies whether automatic update of apps from Windows Store are allowed.
+
Specifies whether automatic update of apps from Microsoft Store are allowed.
The following list shows the supported values:
@@ -448,7 +448,7 @@ ms.date: 09/29/2017
-
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
+
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
The following list shows the supported values:
@@ -496,13 +496,6 @@ ms.date: 09/29/2017
Allows disabling of the retail catalog and only enables the Private store.
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
-
-
The following list shows the supported values:
- 0 (default) – Allow both public and Private store.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index d33bbd648c..9db44013c0 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -119,13 +119,6 @@ ms.date: 09/29/2017
Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
-
-
The following list shows the supported values:
- 0 – Not allowed.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 2c7f399858..e31c570992 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/29/2017
+ms.date: 10/10/2017
---
# Policy CSP - Browser
@@ -231,7 +231,7 @@ ms.date: 09/29/2017
To verify AllowAutofill is set to 0 (not allowed):
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Save form entries** is greyed out.
@@ -1177,8 +1177,8 @@ Employees cannot remove these search engines, but they can set any one as the de
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
-
-
The following list shows the supported values:
- 0 – Not allowed.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 1a97e52c6c..f8d45a8179 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -110,9 +110,6 @@ ms.date: 09/29/2017
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
-- GP name: *VerMgmtDisable*
-- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
-- GP ADMX file name: *inetres.admx*
-
@@ -6090,61 +6008,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
@@ -6310,61 +6173,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
@@ -7052,61 +6860,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
@@ -14180,61 +13933,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
@@ -14510,61 +14208,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Turn on Cross-Site Scripting Filter*
-- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
@@ -15522,61 +15165,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Don't run antimalware programs against ActiveX controls*
-- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
@@ -15642,116 +15230,6 @@ ADMX Info:
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-
-**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
-
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index f2c1e120e8..bb7fdbd8d7 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/29/2017
+ms.date: 10/05/2017
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -999,17 +999,17 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
-• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+- 2 - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 3 - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+- 4 - Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -1057,11 +1057,11 @@ This policy setting controls the behavior of the elevation prompt for standard u
The options are:
-• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 3 - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index f85714b12c..4b0a9b5e62 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -64,13 +64,6 @@ ms.date: 09/29/2017
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
-
-
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
No reboot or service restart is required for this policy to take effect.
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 79333d939d..f839be65ee 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1050,7 +1050,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1091,7 +1091,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1132,7 +1132,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1222,7 +1222,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -1263,7 +1263,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -1304,7 +1304,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -1394,7 +1394,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -1435,7 +1435,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -1476,7 +1476,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -1566,7 +1566,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -1607,7 +1607,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -1648,7 +1648,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -1738,7 +1738,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -1779,7 +1779,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -1820,7 +1820,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -1910,7 +1910,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -1951,7 +1951,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -1992,7 +1992,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -2082,7 +2082,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -2123,7 +2123,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -2164,7 +2164,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -2254,7 +2254,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -2295,7 +2295,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -2336,7 +2336,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -2426,7 +2426,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -2467,7 +2467,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -2508,7 +2508,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -2598,7 +2598,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -2639,7 +2639,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -2680,7 +2680,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -2762,7 +2762,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -2803,7 +2803,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -2844,7 +2844,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -2934,7 +2934,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -2975,7 +2975,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -3016,7 +3016,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -3106,7 +3106,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -3147,7 +3147,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -3188,7 +3188,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -3280,7 +3280,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -3321,7 +3321,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -3362,7 +3362,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -3452,7 +3452,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -3493,7 +3493,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -3534,7 +3534,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index f73f1b8331..03c3fb2ea4 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1536,15 +1536,7 @@ ms.date: 09/29/2017
> [!IMPORTANT]
-> This node is set on a per-user basis and must be accessed using the following paths:
-> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
->
->
-> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
-> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
-
+> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index e525611653..e05d775dd4 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -633,7 +633,7 @@ ADMX Info:
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
* Users cannot access OneDrive from the OneDrive app or file picker.
-* Windows Store apps cannot access OneDrive using the WinRT API.
+* Microsoft Store apps cannot access OneDrive using the WinRT API.
* OneDrive does not appear in the navigation pane in File Explorer.
* OneDrive files are not kept in sync with the cloud.
* Users cannot automatically upload photos and videos from the camera roll folder.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 1d27aafdd8..63d53d42c4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -537,11 +537,11 @@ This policy is accessible through the Update setting in the user interface or Gr
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
+
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
+
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
+
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 0d7ab2b543..e249ddea29 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -234,7 +234,12 @@ ms.date: 09/29/2017
-
Added in Windows 10, version 1703.
+
Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device.
+
+
Allowed values:
+
+- 0 - Wireless display input disabled.
+- 1 (default) - Wireless display input enabled.
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 3e242783d4..3049402086 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -19470,7 +19470,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19494,7 +19494,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19518,7 +19518,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -31512,7 +31512,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -31536,7 +31536,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -31560,7 +31560,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -31608,7 +31608,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31632,7 +31632,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31656,7 +31656,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31704,7 +31704,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31728,7 +31728,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31752,7 +31752,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31800,7 +31800,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31824,7 +31824,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31848,7 +31848,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31896,7 +31896,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31920,7 +31920,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31944,7 +31944,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31992,7 +31992,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -32016,7 +32016,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -32040,7 +32040,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -32088,7 +32088,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -32112,7 +32112,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -32136,7 +32136,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -32184,7 +32184,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -32208,7 +32208,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -32232,7 +32232,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -32280,7 +32280,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -32304,7 +32304,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -32328,7 +32328,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -32376,7 +32376,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -32400,7 +32400,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -32424,7 +32424,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -32472,7 +32472,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -32496,7 +32496,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -32520,7 +32520,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -32568,7 +32568,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32592,7 +32592,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32616,7 +32616,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32856,7 +32856,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32880,7 +32880,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32904,7 +32904,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -35902,7 +35902,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -41148,7 +41148,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -41172,7 +41172,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -41196,7 +41196,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -53941,7 +53941,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53965,7 +53965,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53989,7 +53989,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -54036,7 +54036,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -54060,7 +54060,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -54084,7 +54084,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -54131,7 +54131,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -54155,7 +54155,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -54179,7 +54179,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -54226,7 +54226,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -54250,7 +54250,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -54274,7 +54274,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -54321,7 +54321,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -54345,7 +54345,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -54369,7 +54369,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -54416,7 +54416,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -54440,7 +54440,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -54464,7 +54464,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -54511,7 +54511,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -54535,7 +54535,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -54559,7 +54559,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -54606,7 +54606,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -54630,7 +54630,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -54654,7 +54654,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -54701,7 +54701,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -54725,7 +54725,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -54749,7 +54749,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -54796,7 +54796,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -54820,7 +54820,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -54844,7 +54844,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -54891,7 +54891,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54915,7 +54915,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54939,7 +54939,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54986,7 +54986,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -55010,7 +55010,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -55034,7 +55034,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -55271,7 +55271,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -55295,7 +55295,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -55319,7 +55319,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -58356,7 +58356,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.0
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index d2734f6e16..4fbc202163 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -46,7 +46,7 @@ Note the following restrictions related to push notifications and WNS:
## Get WNS credentials and PFN for MDM push notification
-To get a PFN and WNS credentials, you must create an Windows Store app.
+To get a PFN and WNS credentials, you must create an Microsoft Store app.
1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
@@ -69,7 +69,7 @@ To get a PFN and WNS credentials, you must create an Windows Store app.
7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
- Application Id
- Application Secrets
- - Windows Store Package SID, Application Identity, and Publisher.
+ - Microsoft Store Package SID, Application Identity, and Publisher.
8. Click **Save**.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index aa98ff54c0..ede7194396 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -64,7 +64,7 @@ App identity, which is either an app’s package family name or file path. The t
**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App/Type**
Returns the type of **App/Id**. This value can be either of the following:
-- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Windows Store application.
+- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
Value type is chr. Supported operation is Get.
@@ -183,7 +183,7 @@ App identity for the app-based traffic filter.
The value for this node can be one of the following:
-- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
@@ -393,7 +393,7 @@ Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Cli
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/***ProfileName***/PluginProfile**
-Nodes under the PluginProfile are required when using a Windows Store based VPN plugin.
+Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
**VPNv2/***ProfileName***/PluginProfile/ServerUrlList**
Required for plug-in profiles. Comma separated list of servers in URL, hostname, or IP format.
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 7b65bf401c..79f1d72331 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -110,6 +110,9 @@ The following are valid edition upgrade paths when using this node through an MD
- Windows 10 Mobile to Windows 10 Mobile Enterprise
+> [!Warning]
+> Edition upgrades do not support Volume Licence (VL) keys.
+
**LicenseKeyType**
Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change.
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 36cef1617a..60db3078d1 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -202,7 +202,7 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=new-policies-for-windows-10.md).
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 390d23a40e..2672e10bc4 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -40,7 +40,7 @@ Windows 10 includes comprehensive MDM capabilities that can be managed by Micros
The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management.
Organizations typically have two scenarios to consider when it comes to device deployment: Bring Your Own (BYO) personal devices and Choose Your Own (CYO) company-owned devices. In both cases, the device must be enrolled in an MDM system, which would configure it with settings appropriate for the organization and the employee.
-Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Windows Store for Business, or by using their MDM system, which can also work with the Windows Store for Business for public store apps.
+Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Microsoft Store for Business, or by using their MDM system, which can also work with the Microsoft Store for Business for public store apps.
Knowing who owns the device and what the employee will use it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ.
For **personal devices**, companies need to be able to manage corporate apps and data on the device without impeding the employee’s ability to personalize it to meet their individual needs. The employee owns the device and corporate policy allows them to use it for both business and personal purposes, with the ability to add personal apps at their discretion. The main concern with personal devices is how organizations can prevent corporate data from being compromised, while still keeping personal data private and under the sole control of the employee. This requires that the device be able to support separation of apps and data with strict control of business and personal data traffic.
@@ -200,8 +200,8 @@ For more information about health attestation in Windows 10 Mobile, see the [Win
**Windows Update for Business**
Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates.
-**Windows Store for Business**
-The Windows Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps.
+**Microsoft Store for Business**
+The Microsoft Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps.
## Configure
@@ -216,7 +216,7 @@ Not all MDM systems support every setting described in this guide. Some support
Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization will reduce the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts.
-- **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Windows Store, Xbox, or Groove.
+- **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Microsoft Store, Xbox, or Groove.
- **Allow Adding Non-Microsoft Accounts** Specifies whether users are allowed to add email accounts other than Microsoft accounts.
### Email accounts
@@ -304,7 +304,7 @@ In addition to SCEP certificate management, Windows 10 Mobile supports deploymen
Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
->**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Windows Store. This Windows 10 Mobile app can help you:
+>**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you:
- View a summary of all personal certificates
- View the details of individual certificates
- View the certificates used for VPN, Wi-Fi, and email authentication
@@ -403,7 +403,7 @@ For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.micro
*Applies to: Corporate and personal devices*
-Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Windows Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Windows Store using your MDM system (see App Management).
+Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Microsoft Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Microsoft Store using your MDM system (see App Management).
You can create and provision multiple VPN connection profiles and then deploy them to managed devices that run Windows 10 Mobile.
To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP), you can use the following settings:
@@ -421,11 +421,11 @@ To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such a
>**Note:** The easiest way to create a profile for a single sign-on experience with an EAP configuration XML is through the rasphone tool on a Windows 10 PC. Once you run the rasphone.exe, the configuration wizard will walk you through the necessary steps. For step-by-step instructions on creating the EAP configuration XML blob, see EAP configuration. You can use the resulting XML blob in the MDM system to create the VPN profile on Windows 10 Mobile phone. If you have multiple certificates on the devices, you may want to configure filtering conditions for automatic certificate selection, so the employee does not need to select an authentication certificate every time the VPN is turned on. See this article for details. Windows 10 for PCs and Windows 10 Mobile have the same VPN client.
-Windows Store–based VPN plugins for the VPN connection allow you to create a VPN plugin profile with the following attributes:
+Microsoft Store–based VPN plugins for the VPN connection allow you to create a VPN plugin profile with the following attributes:
- **VPN server** A comma-separated list of VPN servers; you can specify the servers with a URL, fully qualified host name, or IP address
- **Custom configuration** An HTML-encoded XML blob for SSL–VPN plugin–specific configuration information (e.g., authentication information) that the plugin provider requires
-- **Windows Store VPN plugin family name** Specifies the Windows Store package family name for the Windows Store–based VPN plugin
+- **Microsoft Store VPN plugin family name** Specifies the Microsoft Store package family name for the Microsoft Store–based VPN plugin
In addition, you can specify per VPN Profile:
@@ -491,36 +491,36 @@ Windows 10 makes it possible to develop apps that work seamlessly across multipl
For compatibility with existing apps, Windows Phone 8.1 apps still run on Windows 10 Mobile devices, easing the migration to the newest platform. Microsoft recommend migrating your apps to UWP to take full advantage of the improvements in Windows 10 Mobile. In addition, bridges have been developed to easily and quickly update existing Windows Phone 8.1 (Silverlight) and iOS apps to the UWP.
-Microsoft also made it easier for organizations to license and purchase UWP apps via Windows Store for Business and deploy them to employee devices using the Windows Store, or an MDM system, that can be integrated with the Windows Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security.
+Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security.
To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/en-us/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/en-us/windows/uwp/porting/index).
-### Windows Store for Business: Sourcing the right app
+### Microsoft Store for Business: Sourcing the right app
*Applies to: Corporate and personal devices*
-The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Windows Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Windows Store. With the Windows Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Windows Store, without the need for MSAs on Windows 10 devices.
+The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Microsoft Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Microsoft Store. With the Microsoft Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Microsoft Store, without the need for MSAs on Windows 10 devices.
-Windows Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices.
+Microsoft Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices.
-Azure AD authenticated managers have access to Windows Store for Business functionality and settings, and store managers can create a private category of apps that are specific and private to their organization. (You can get more details about what specific Azure AD accounts have access to Windows Store for Business here). Windows Store for Business enables organizations to purchase app licenses for their organization and make apps available to their employees. In addition to commercially available apps, your developers can publish line-of-business (LOB) apps to Windows Store for Business by request. You can also integrate their Windows Store for Business subscriptions with their MDM systems, so the MDM system can distribute and manage apps from Windows Store for Business.
+Azure AD authenticated managers have access to Microsoft Store for Business functionality and settings, and store managers can create a private category of apps that are specific and private to their organization. (You can get more details about what specific Azure AD accounts have access to Microsoft Store for Business here). Microsoft Store for Business enables organizations to purchase app licenses for their organization and make apps available to their employees. In addition to commercially available apps, your developers can publish line-of-business (LOB) apps to Microsoft Store for Business by request. You can also integrate their Microsoft Store for Business subscriptions with their MDM systems, so the MDM system can distribute and manage apps from Microsoft Store for Business.
-Windows Store for Business supports app distribution under two licensing models: online and offline.
+Microsoft Store for Business supports app distribution under two licensing models: online and offline.
The online model (store-managed) is the recommended method, and supports both personal device and corporate device management scenarios. To install online apps, the device must have Internet access at the time of installation. On corporate devices, an employee can be authenticated with an Azure AD account to install online apps. On personal devices, an employee must register their device with Azure AD to be able to install corporate licensed online apps.
Corporate device users will find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system app catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention.
Employees with personal devices can install apps licensed by their organization using the Store app on their device. They can use either the Azure AD account or Microsoft Account within the Store app if they wish to purchase personal apps. If you allow employees with corporate devices to add a secondary Microsoft Account (MSA), the Store app on the device provides a unified method for installing personal and corporate apps.
-Online licensed apps do not need to be transferred or downloaded from the Windows Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Windows Store for Business reclaims the license so it can be used for another user or on another device.
+Online licensed apps do not need to be transferred or downloaded from the Microsoft Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Microsoft Store for Business reclaims the license so it can be used for another user or on another device.
-To distribute an app offline (organization-managed), the app must be downloaded from the Windows Store for Business. This can be accomplished in the Windows Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Windows Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online licensing method.
+To distribute an app offline (organization-managed), the app must be downloaded from the Microsoft Store for Business. This can be accomplished in the Microsoft Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Microsoft Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Microsoft Store, then you must obtain the files directly from the developer or use the online licensing method.
-To install acquired Windows Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Windows Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required.
+To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Microsoft Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required.
-Windows Store apps or LOB apps that have been uploaded to the Windows Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Windows Store certificates. LOB apps that are uploaded to the Windows Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
+Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
-Learn more about the [Windows Store for Business](/microsoft-store/index).
+Learn more about the [Microsoft Store for Business](/microsoft-store/index).
### Managing apps
@@ -528,19 +528,19 @@ Learn more about the [Windows Store for Business](/microsoft-store/index).
IT administrators can control which apps are allowed to be installed on Windows 10 Mobile devices and how they should be kept up-to-date.
-Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Windows Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Windows Store.
+Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store.
For more details, see [AppLocker CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019(v=vs.85).aspx).
In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM.
- **Allow All Trusted Apps** Whether users can sideload apps on the device.
-- **Allow App Store Auto Update** Whether automatic updates of apps from Windows Store are allowed.
+- **Allow App Store Auto Update** Whether automatic updates of apps from Microsoft Store are allowed.
- **Allow Developer Unlock** Whether developer unlock is allowed.
- **Allow Shared User App Data** Whether multiple users of the same app can share data.
-- **Allow Store** Whether Windows Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system.
+- **Allow Store** Whether Microsoft Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system.
- **Application Restrictions** An XML blob that defines the app restrictions for a device. The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher. See AppLocker above.
-- **Disable Store Originated Apps** Disables the launch of all apps from Windows Store that came pre-installed or were downloaded before the policy was applied.
+- **Disable Store Originated Apps** Disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded before the policy was applied.
- **Require Private Store Only** Whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.
- **Restrict App Data to System Volume** Whether app data is allowed only on the system drive or can be stored on an SD card.
- **Restrict App to System Volume** Whether app installation is allowed only to the system drive or can be installed on an SD card.
@@ -1035,7 +1035,7 @@ The remote assistance features in Windows 10 Mobile help resolve issues that use
These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password.
->**Remote control software** Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Windows Store.
+>**Remote control software** Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Microsoft Store.
## Retire
@@ -1065,7 +1065,7 @@ A better option than wiping the entire device is to use Windows Information Prot
- [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050)
- [Enterprise Mobility + Security](https://go.microsoft.com/fwlink/p/?LinkId=723984)
- [Overview of Mobile Device Management for Office 365](https://go.microsoft.com/fwlink/p/?LinkId=734052)
-- [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=722910)
+- [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=722910)
## Revision History
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 03b15f9859..5c68eb15b8 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -40,7 +40,7 @@ These are the top Microsoft Support solutions for the most common issues experie
- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
-- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
diff --git a/windows/configuration/EventName.md b/windows/configuration/EventName.md
new file mode 100644
index 0000000000..c0ae1cafb0
--- /dev/null
+++ b/windows/configuration/EventName.md
@@ -0,0 +1,253 @@
+---
+description: Use this article to learn more about the enhanced telemetry events used by Windows Analytics
+title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10)
+keywords: privacy, telemetry
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+ms.date: 10/17/2017
+author: jaimeo
+ms.author: jaimeo
+---
+
+
+# Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics
+
+ **Applies to**
+
+- Windows 10, version 1709 and later
+
+Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS telemetry events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.
+
+In Windows 10, version 1709, we introduce a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system telemetry events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+
+
+## KernelProcess.AppStateChangeSummary
+This event summarizes application usage and performance characteristics to help Microsoft improve performance and reliability. Organizations can use this event with Windows Analytics to gain insights into application reliability.
+
+The following fields are available:
+
+- **CommitChargeAtExit_Sum:** Total memory commit charge for a process when it exits
+- **CommitChargePeakAtExit_Sum**: Total peak memory commit charge for a process when it exits
+- **ContainerId:** Server Silo Container ID
+- **CrashCount:** Number of crashes for a process instance
+- **CycleCountAtExit_Sum:** Total processor cycles for a process when it exited
+- **ExtraInfoFlags:** Flags indicating internal states of the logging
+- **GhostCount_Sum:** Total number of instances where the application stopped responding
+- **HandleCountAtExit_Sum:** Total handle count for a process when it exits
+- **HangCount_Max:** Maximum number of hangs detected
+- **HangCount_Sum:** Total number of application hangs detected
+- **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits
+- **HeartbeatCount:** Heartbeats logged for this summary
+- **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended
+- **LaunchCount:** Number of process instances started
+- **LicenseType:** Reserved for future use
+- **ProcessDurationMS_Sum:** Total duration of wall clock process instances
+- **ReadCountAtExit_Sum:** Total IO reads for a process when it exited
+- **ReadSizeInKBAtExit_Sum:**Total IO read size for a process when it exited
+- **ResumeCount:** Number of times a process instance has resumed
+- **RunningDurationMS_Sum:** Total uptime
+- **SuspendCount:** Number of times a process instance was suspended
+- **TargetAppId:** Application identifier
+- **TargetAppType:** Application type
+- **TargetAppVer:** Application version
+- **TerminateCount:** Number of times a process terminated
+- **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited
+- **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited
+
+## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
+This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Windows Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices.
+
+The following fields are available:
+
+- **CredTileProviderId:** ID of the Credential Provider
+- **IsConnectedUser:** Flag indicating whether a user is connected or not
+- **IsPLAPTile:** Flag indicating whether this credential tile is a pre-logon access provider or not
+- **IsRemoteSession:** Flag indicating whether the session is remote or not
+- **IsV2CredProv:** Flag indicating whether the credential provider of V2 or not
+- **OpitonalStatusText:** Status text
+- **ProcessImage:** Image path to the process
+- **ProviderId:** Credential provider ID
+- **ProviderStatusIcon:** Indicates which status icon should be displayed
+- **ReturnCode:** Output of the ReportResult function
+- **SessionId:** Session identifier
+- **Sign-in error status:** The sign-in error status
+- **SubStatus:** Sign-in error sub-status
+- **UserTag:** Count of the number of times a user has selected a provider
+
+## Microsoft.Windows.Kernel.Power.OSStateChange
+This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to monitor reliability and performance of managed devices
+
+The following fields are available:
+
+- **AcPowerOnline:** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
+- **ActualTransitions:** The number of transitions between operating system states since the last system boot
+- **BatteryCapacity:** Maximum battery capacity in mWh
+- **BatteryCharge:** Current battery charge as a percentage of total capacity
+- **BatteryDischarging:** Flag indicating whether the battery is discharging or charging
+- **BootId:** Total boot count since the operating system was installed
+- **BootTimeUTC:** Date and time of a particular boot event (identified by BootId)
+- **EnergyChangeV2:** A snapshot value in mWh reflecting a change in power usage
+- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
+- **EventSequence:** A sequential number used to evaluate the completeness of the data
+- **LastStateTransition:** ID of the last operating system state transition
+- **LastStateTransitionSub:** ID of the last operating system sub-state transition
+- **StateDurationMS:** Number of milliseconds spent in the last operating system state
+- **StateTransition:** ID of the operating system state the system is transitioning to
+- **StateTransitionSub:** ID of the operating system sub-state the system is transitioning to
+- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
+- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
+- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
+- **UptimeDeltaMS:** Total time (in milliseconds) added to Uptime since the last event
+
+## Microsoft.Windows.LogonController.LogonAndUnlockSubmit
+Sends details of the user attempting to sign into or unlock the device.
+
+The following fields are available:
+
+- **isSystemManagedAccount:** Indicates if the user's account is System Managed
+- **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock
+- **PartA_UserSid:** The security identifier of the user
+- **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user
+
+## Microsoft.Windows.LogonController.SignInFailure
+Sends details about any error codes detected during a failed sign-in.
+
+The following fields are available:
+
+- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
+- **ntsSubstatus:** The NTSTATUS error code sub-status returned from an attempted sign-in
+
+## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
+Indicates that a biometric capture was compared to known templates
+
+The following fields are available:
+
+- **captureDetail:** Result of biometric capture, either matched to an enrollment or an error
+- **captureSuccessful:** Indicates whether a biometric capture was successfully matched or not
+- **hardwareId:** ID of the sensor that collected the biometric capture
+- **isSecureSensor:** Flag indicating whether a biometric sensor was in enhanced security mode
+- **isTrustletRunning:** Indicates whether an enhanced security component is currently running
+- **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not
+
+## Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics
+The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
+
+The following fields are available:
+
+- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys)
+- **certThumbprint:** Certificate thumbprint
+
+## Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics
+The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
+
+The following fields are available:
+
+- **caThumbprints:** Intermediate certificate thumbprints
+- **rootThumbprint:** Root certificate thumbprint
+- **serverName:** Server name associated with the certificate
+- **serverThumbprint:** Server certificate thumbprint
+- **statusBits:** Certificate status
+
+## Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics
+The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
+
+The following fields are available:
+
+- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys)
+- **certThumbprint:** Certificate thumbprint
+
+## Microsoft.Windows.Security.Winlogon.SystemBootStop
+System boot has completed.
+
+The following field is available:
+
+- **ticksSinceBoot:** Duration of boot event (milliseconds)
+
+## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
+This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Windows Analytics organizations can help identify logon problems on managed devices.
+
+The following fields are available:
+
+- **isAadUser:** Indicates whether the current logon is for an Azure Active Directory account
+- **isDomainUser:** Indicates whether the current logon is for a domain account
+- **isMSA:** Indicates whether the current logon is for a Microsoft Account
+- **logonOptimizationFlags:** Flags indicating optimization settings for this logon session
+- **logonTypeFlags:** Flags indicating logon type (first logon vs. a later logon)
+- **systemManufacturer:** Device manufacturer
+- **systemProductName:** Device product name
+- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
+
+## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
+This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability.
+
+The following fields are available:
+
+- **isStartWaitTask:** Flag indicating whether the task starts a background task
+- **isWaitMethod:** Flag indicating the task is waiting on a background task
+- **logonTask:** Indicates which logon step is currently occurring
+- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
+
+## Microsoft.Windows.Shell.Explorer.DesktopReady
+Initialization of Explorer is complete.
+
+## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning
+For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption.
+
+The following fields are available:
+
+- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
+- **appIdType:** Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
+- **appname:** App that triggered the event
+- **status:** Indicates whether errors occurred during WIP learning events
+
+## Win32kTraceLogging.AppInteractivitySummary
+Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Windows Analytics) to understand and improve application reliability on managed devices.
+
+The following fields are available:
+
+- **AggregationDurationMS:** Actual duration of aggregation period (in milliseconds)
+- **AggregationFlags:** Flags denoting aggregation settings
+- **AggregationPeriodMS:** Intended duration of aggregation period (in milliseconds)
+- **AggregationStartTime:** Start date and time of AppInteractivity aggregation
+- **AppId:** Application ID for usage
+- **AppSessionId:** GUID identifying the application's usage session
+- **AppVersion:** Version of the application that produced this event
+- **AudioInMS:** Audio capture duration (in milliseconds)
+- **AudioOutMS:** Audio playback duration (in milliseconds)
+- **BackgroundMouseSec:** Indicates that there was a mouse hover event while the app was in the background
+- **BitPeriodMS:** Length of the period represented by InFocusBitmap
+- **CommandLineHash:** A hash of the command line
+- **CompositionDirtyGeneratedSec:** Represents the amount of time (in seconds) during which the active app reported that it had an update
+- **CompositionDirtyPropagatedSec:** Total time (in seconds) that a separate process with visuals hosted in an app signaled updates
+- **CompositionRenderedSec:** Time (in seconds) that an app's contents were rendered
+- **EventSequence:** [need more info]
+- **FocusLostCount:** Number of times that an app lost focus during the aggregation period
+- **GameInputSec:** Time (in seconds) there was user input using a game controller
+- **HidInputSec:** Time (in seconds) there was user input using devices other than a game controller
+- **InFocusBitmap:** Series of bits representing application having and losing focus
+- **InFocusDurationMS:** Total time (in milliseconds) the application had focus
+- **InputSec:** Total number of seconds during which there was any user input
+- **InteractiveTimeoutPeriodMS:** Total time (in milliseconds) that inactivity expired interactivity sessions
+- **KeyboardInputSec:** Total number of seconds during which there was keyboard input
+- **MonitorFlags:** Flags indicating app use of individual monitor(s)
+- **MonitorHeight:** Number of vertical pixels in the application host monitor resolution
+- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
+- **MouseInputSec:** Total number of seconds during which there was mouse input
+- **NewProcessCount:** Number of new processes contributing to the aggregate
+- **PartATransform_AppSessionGuidToUserSid:** Flag which influences how other parts of the event are constructed
+- **PenInputSec:** Total number of seconds during which there was pen input
+- **SpeechRecognitionSec:** Total number of seconds of speech recognition
+- **SummaryRound:** Incrementing number indicating the round (batch) being summarized
+- **TargetAsId:** Flag which influences how other parts of the event are constructed
+- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
+- **TouchInputSec:** Total number of seconds during which there was touch input
+- **UserActiveDurationMS:** Total time that the user was active including all input methods
+- **UserActiveTransitionCount:** Number of transitions in and out of user activity
+- **UserOrDisplayActiveDurationMS:** Total time the user was using the display
+- **ViewFlags:** Flags denoting properties of an app view (for example, special VR view or not)
+- **WindowFlags:** Flags denoting runtime properties of an app window
+- **WindowHeight:** Number of vertical pixels in the application window
+- **WindowWidth:** Number of horizontal pixels in the application window
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 14b763459a..88c44d0c4c 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -1,7 +1,9 @@
# [Configure Windows 10](index.md)
## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
-## [Basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
-## [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md)
+## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](EventName.md)
+## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+## [Windows 10 diagnostic data for the Full telemetry level](windows-diagnostic-data.md)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
@@ -9,7 +11,10 @@
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
+### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
+#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
+#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md)
+#### [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)
@@ -48,7 +53,7 @@
### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md)
### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md)
### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md)
-## [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md)
+## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md)
## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md)
### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md)
### [Introduction to configuration service providers (CSPs)](provisioning-packages/how-it-pros-can-use-configuration-service-providers.md)
@@ -70,6 +75,8 @@
#### [AutomaticTime](wcd/wcd-automatictime.md)
#### [Browser](wcd/wcd-browser.md)
#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md)
+#### [Calling](wcd/wcd-calling.md)
+#### [CellCore](wcd/wcd-cellcore.md)
#### [Cellular](wcd/wcd-cellular.md)
#### [Certificates](wcd/wcd-certificates.md)
#### [CleanPC](wcd/wcd-cleanpc.md)
@@ -79,6 +86,7 @@
#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md)
#### [DeveloperSetup](wcd/wcd-developersetup.md)
#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)
+#### [DeviceInfo](wcd/wcd-deviceinfo.md)
#### [DeviceManagement](wcd/wcd-devicemanagement.md)
#### [DMClient](wcd/wcd-dmclient.md)
#### [EditionUpgrade](wcd/wcd-editionupgrade.md)
@@ -86,6 +94,7 @@
#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md)
#### [FirstExperience](wcd/wcd-firstexperience.md)
#### [Folders](wcd/wcd-folders.md)
+#### [HotSpot](wcd/wcd-hotspot.md)
#### [InitialSetup](wcd/wcd-initialsetup.md)
#### [InternetExplorer](wcd/wcd-internetexplorer.md)
#### [Licensing](wcd/wcd-licensing.md)
@@ -109,11 +118,13 @@
#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md)
#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)
#### [TabletMode](wcd/wcd-tabletmode.md)
-#### [TakeATest](wcd/wcd-takeatest.md)
+#### [TakeATest](wcd/wcd-takeatest.md)
+#### [TextInput](wcd/wcd-textinput.md)
#### [Theme](wcd/wcd-theme.md)
#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)
#### [UniversalAppInstall](wcd/wcd-universalappinstall.md)
#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)
+#### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md)
#### [WeakCharger](wcd/wcd-weakcharger.md)
#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)
#### [WLAN](wcd/wcd-wlan.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md
new file mode 100644
index 0000000000..26ff07ae44
--- /dev/null
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -0,0 +1,4585 @@
+---
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
+keywords: privacy, telemetry
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: eross-msft
+ms.author: lizross
+ms.date: 10/17/2017
+---
+
+
+# Windows 10, version 1709 basic level Windows diagnostic events and fields
+
+
+ **Applies to**
+
+- Windows 10, version 1709
+
+
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
+
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
+
+
+
+# Common data extensions
+
+### Common Data Extensions.App
+
+
+
+The following fields are available:
+
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **userId** The userID as known by the application.
+- **env** The environment from which the event was logged.
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+
+
+### Common Data Extensions.CS
+
+
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.CUET
+
+
+
+The following fields are available:
+
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **op** Represents the ETW Op Code.
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event.
+- **bseq** Upload buffer sequence number in the format \:\
+- **mon** Combined monitor and event sequence numbers in the format \:\
+
+
+### Common Data Extensions.Device
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
+
+
+### Common Data Extensions.Envelope
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **name** Represents the uniquely qualified name for the event.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **os** Represents the operating system name.
+- **osVer** Represents the OS version, and its format is OS dependent.
+- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+
+
+### Common Data Extensions.OS
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+
+
+### Common Data Extensions.User
+
+
+
+The following fields are available:
+
+- **ver** Represents the major and minor version of the extension.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.XBL
+
+
+
+The following fields are available:
+
+- **nbf** Not before time
+- **expId** Expiration time
+- **sbx** XBOX sandbox identifier
+- **dty** XBOX device type
+- **did** XBOX device ID
+- **xid** A list of base10-encoded XBOX User IDs.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+
+
+### Common Data Extensions.Consent UI Event
+
+This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+
+The following fields are available:
+
+- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
+- **splitToken** Represents the flag used to distinguish between administrators and standard users.
+- **friendlyName** Represents the name of the file requesting elevation from low IL.
+- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
+- **exeName** Represents the name of the file requesting elevation from low IL.
+- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on.
+- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL.
+- **cmdLine** Represents the full command line arguments being used to elevate.
+- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL.
+- **Hash** Represents the hash of the file requesting elevation from low IL.
+- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL.
+- **telemetryFlags** Represents the details about the elevation prompt for CEIP data.
+- **timeStamp** Represents the time stamp on the file requesting elevation.
+- **fileVersionMS** Represents the major version of the file requesting elevation.
+- **fileVersionLS** Represents the minor version of the file requesting elevation.
+
+
+## Common data fields
+
+### Common Data Fields.MS.Device.DeviceInventory.Change
+
+These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
+
+The following fields are available:
+
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+- **objectType** Indicates the object type that the event applies to.
+- **Action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
+
+These fields are added whenever PreUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed.
+- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed.
+- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed.
+- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed.
+- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update.
+- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled** The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed?
+- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed?
+- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
+
+These fields are added whenever PostUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed.
+- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed.
+- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed.
+- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed.
+- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update.
+- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled** The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed?
+- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed?
+- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+"This event indicates what should be expected in the data payload. "
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal** Obsolete, always set to false
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser telemetry run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates if telemetry was successfully sent.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+
+The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+
+The following fields are available:
+
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question?
+- **DisplayGenericMessage** Will be a generic message be shown for this file?
+- **HardBlock** This file is blocked in the SDB.
+- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction** Will the file cause an action that can be dimissed?
+- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock** The file is softblocked in the SDB and has a warning.
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ActiveNetworkConnection** Is the device an active network device?
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **IsBootCritical** Is the device boot critical?
+- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
+- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **BiosName** The name field from Win32_BIOS.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS.
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Does this device have 2 or more language packs?
+- **LanguagePackCount** How many language packs are installed?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_RS2** The total DatasourceApplicationFile objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceDriverPackage_RS2** The total DatasourceDriverPackage objects targeting Windows 10 version 1703 present on this device.
+- **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
+- **DataSourceMatchingInfoPassive_RS2** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DecisionApplicationFile_RS2** The total DecisionApplicationFile objects targeting Windows 10 version 1703 present on this device.
+- **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
+- **DecisionDriverPackage_RS2** The total DecisionDriverPackage objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
+- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
+- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device.
+- **InventoryMediaCenter** The total InventoryMediaCenter objects that are present on this device.
+- **InventorySystemBios** The total InventorySystemBios objects that are present on this device.
+- **InventoryUplevelDriverPackage** The total InventoryUplevelDriverPackage objects that are present on this device.
+- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
+- **SystemMemory** The total SystemMemory objects that are present on this device.
+- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorLahfSahf** The total SystemProcessorLahfSahf objects that are present on this device.
+- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device.
+- **SystemProcessorPrefetchW** The total SystemProcessorPrefetchW objects that are present on this device.
+- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device.
+- **SystemTouch** The total SystemTouch objects that are present on this device.
+- **SystemWim** The total SystemWim objects that are present on this device
+- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device.
+- **SystemWlan** The total SystemWlan objects that are present on this device.
+- **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceApplicationFile_RS3** "The total DecisionApplicationFile objects targeting the next release of Windows on this device. "
+- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageEndSync
+
+This event indicates that a full set of DatasourceDriverPackageAdd events has been sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveEndSync
+
+This event indicates that a full set of DataSourceMatchingInfoPassiveAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **Class** The device class from the driver package.
+- **ClassGuid** The device class GUID from the driver package.
+- **Date** The date from the driver package.
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file, post-rename.
+- **Revision** The revision of the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData** The data in the registry value after the scan completed.
+- **OldData** The previous data in the registry value before the scan ran.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+"This event indicates that the SystemTouch object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+"This event indicates that the SystemWlan object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+"This event indicates that the SystemWim object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+"This event indicates that the InventorySystemBios object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+"This event indicates that the SystemProcessorLahfSahf object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+"This event indicates that the SystemProcessorCompareExchange object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryDriverBinaryEndSync
+
+This event indicates that a full set of InventoryDriverBinaryAdd events has been sent.
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+## Census events
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
+- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
+- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+
+The following fields are available:
+
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsDomainJoined** Indicates whether a machine is joined to a domain.
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CensusVersion** The version of Census that generated the current data for this device.
+- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
+
+
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **InternalPrimaryDisplayType** Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc.
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate** Represents the date the current firmware was released.
+- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion** Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **SSRK** Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ActiveMicCount** The number of active microphones attached to the device.
+- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **D3DMaxFeatureLevel** The supported Direct3D version.
+- **DeviceColor** Indicates a color of the device.
+- **DeviceForm** Indicates the form as per the device classification.
+- **DeviceName** The device name that is set by the user.
+- **DigitizerSupport** Is a digitizer supported?
+- **DUID** The device unique ID.
+- **Gyroscope** Indicates whether the device has a gyroscope.
+- **InventoryId** The device ID used for compatibility testing.
+- **Magnetometer** Indicates whether the device has a magnetometer.
+- **NFCProximity** Indicates whether the device supports NFC.
+- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
+- **OEMModelName** The device model name.
+- **OEMModelNumber** The device model number.
+- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
+- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer** The friendly name of the phone manufacturer.
+- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **SoCName** The firmware manufacturer of the device.
+- **StudyID** Used to identify retail and non-retail device.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+
+The following fields are available:
+
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+- **NetworkCost** Represents the network cost associated with a connection.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **AssignedAccessStatus** The kiosk configuration mode.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus** "Represents if a device has been developer unlocked by the user or Group Policy. "
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
+- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage** The first language installed on the user machine.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
+- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
+- **LanguagePacks** The list of language packages installed on the device.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition** Retrieves the version of the current OS.
+- **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine.
+- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
+- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **SLICVersion** Returns OS type/version from SLIC table.
+
+
+### Census.Processor
+
+This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+
+The following fields are available:
+
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
+- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
+- **ProcessorCores** Retrieves the number of cores in the processor.
+- **ProcessorIdentifier** The processor identifier of a manufacturer.
+- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
+- **ProcessorModel** Retrieves the name of the processor model.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorUpdateRevision** The microcode version.
+- **SocketCount** Number of physical CPU sockets of the machine.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
+- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **isVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device id of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage** The current user Default App Language.
+- **DisplayLanguage** The current user preferred Windows Display Language.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
+- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy** Retrieves the Windows Store App Auto Update group policy setting
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
+- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState** Retrieves WU setting to determine if updates are paused
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled** "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+
+### Census.Security
+
+This event provides information on about security settings used to help keep Windows up-to-date and secure.
+
+- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
+- **CGRunning** Is Credential Guard running?
+- **DGState** A summary of the Device Guard state.
+- **HVCIRunning** Is HVCI running?
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable** Is this device capable of running Secure Boot?
+- **VBSState** Is virtualization-based security enabled, disabled, or running?
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting** True if UTC is allowed to perform scripting.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+
+
+### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
+
+This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
+- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
+- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting** True if UTC is allowed to perform scripting.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+
+The following fields are available:
+
+- **CensusExitCode** Returns last execution codes from census client run.
+- **CensusStartTime** Returns timestamp corresponding to last successful census run.
+- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
+- **LastConntectivityLossTime** Retrieves the last time the device lost free network.
+- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount** The number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** The time of the last Census run.
+- **CensusTaskEnabled** Indicates whether Census is enabled.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
+- **DbCriticalDroppedCount** The total number of dropped critical events in the event database.
+- **DbDroppedCount** The number of events that were dropped because the database was full.
+- **DecodingDroppedCount** The number of events dropped because of decoding failures.
+- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
+- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
+- **EventSubStoreResetCounter** The number of times the event database was reset.
+- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
+- **EventsUploaded** The number of events that have been uploaded.
+- **Flags** Flags that indicate device state, such as network, battery, and opt-in state.
+- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full.
+- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter.
+- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
+- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel.
+- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
+- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
+- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
+- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
+
+
+### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
+
+This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
+
+The following fields are available:
+
+- **PostUpgradeSettings** The privacy settings after a feature update.
+- **PreUpgradeSettings** The privacy settings before a feature update.
+
+
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **aiSeqId** The event sequence ID.
+- **bootId** The system boot ID.
+- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid** The display adapter LUID.
+- **DriverDate** The date of the display driver.
+- **DriverRank** The rank of the display driver.
+- **DriverVersion** The display driver version.
+- **GPUDeviceID** The GPU device ID.
+- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID** The GPU revision ID.
+- **GPUVendorID** The GPU vendor ID.
+- **InterfaceId** The GPU interface ID.
+- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA** Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported** Does the GPU support Miracast?
+- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter** Is this GPU the POST GPU in the device?
+- **IsRenderDevice** Does the GPU have rendering capabilities?
+- **IsSoftwareDevice** Is this a software implementation of the GPU?
+- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID** The subsystem ID.
+- **SubVendorID** The GPU sub vendor ID.
+- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version** The event version.
+- **WDDMVersion** The Windows Display Driver Model version.
+- **NumVidPnSources** The number of supported display output sources.
+- **NumVidPnTargets** The number of supported display output targets.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+"This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes"" by a user DO NOT emit this event."
+
+The following fields are available:
+
+- **AppName** The name of the app that has crashed.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp** The date/time stamp of the app.
+- **AppVersion** The version of the app that has crashed.
+- **ExceptionCode** The exception code returned by the process that has crashed.
+- **ExceptionOffset** The address where the exception had occurred.
+- **Flags** "Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. "
+- **ModName** Exception module name (e.g. bar.dll).
+- **ModTimeStamp** The date/time stamp of the module.
+- **ModVersion** The version of the module that has crashed.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ProcessId** The ID of the process that has crashed.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported
+- **TargetAsId** The sequence number for the hanging process.
+
+
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
+
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state
+
+The following fields are available:
+
+- **failureReason** Provides data about the uninstall initialization operation failure
+- **hr** Provides the Win32 error code for the operation failure
+
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
+
+Indicates that the uninstall was properly configured and that a system reboot was initiated
+
+The following fields are available:
+
+- **name** Name of the event
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName** The name of the app that has hung.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion** The version of the app that has hung.
+- **PackageFullName** Store application identity.
+- **PackageRelativeAppId** Store application identity.
+- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **ProcessId** The ID of the process that has hung.
+- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId** The kernel reported AppId of the application being reported.
+- **TargetAppVer** The specific version of the application being reported.
+- **TargetAsId** The sequence number for the hanging process.
+- **TypeCode** Bitmap describing the hang type.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events
+- **TotalUserConnectablePorts** Total number of connectable USB ports
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+The following fields are available:
+
+- **Count** Count of total Microsoft Office VBA rule violations
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+This event provides data on the installed Office Add-ins.
+
+- **AddInCLSID** The CLSID key office the Office addin.
+- **AddInId** The ID of the Office addin.
+- **BinFileTimestamp** The timestamp of the Office addin.
+- **BinFileVersion** The version of the Office addin.
+- **Description** The description of the Office addin.
+- **FileId** The file ID of the Office addin.
+- **FriendlyName** The friendly name of the Office addin.
+- **FullPath** The full path to the Office addin.
+- **LoadBehavior** A Uint32 that describes the load behavior.
+- **LoadTime** The load time for the Office addin.
+- **OfficeApplication** The OIffice application for this addin.
+- **OfficeArchitecture** The architecture of the addin.
+- **OfficeVersion** The Office version for this addin.
+- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
+- **Provider** The provider name for this addin.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
+
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+
+The following fields are available:
+
+- **Design** Count of files with design issues found
+- **Design_x64** Count of files with 64 bit design issues found
+- **DuplicateVBA** Count of files with duplicate VBA code
+- **HasVBA** Count of files with VBA code
+- **Inaccessible** Count of files that were inaccessible for scanning
+- **Issues** Count of files with issues detected
+- **Issues_x64** Count of files with 64-bit issues detected
+- **IssuesNone** Count of files with no issues detected
+- **IssuesNone_x64** Count of files with no 64-bit issues detected
+- **Locked** Count of files that were locked, preventing scanning
+- **NoVBA** Count of files with no VBA inside
+- **Protected** Count of files that were password protected, preventing scanning
+- **RemLimited** Count of files that require limited remediation changes
+- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues
+- **RemSignificant** Count of files that require significant remediation changes
+- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues
+- **Score** Overall compatibility score calculated for scanned content
+- **Score_x64** Overall 64-bit compatibility score calculated for scanned content
+- **Total** Total number of files scanned
+- **Validation** Count of files that require additional manual validation
+- **Validation_x64** Count of files that require additional manual validation for 64-bit issues
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on
+
+The following fields are available:
+
+- **FileId** A hash that uniquely identifies a file
+- **Frameworks** The list of frameworks this file depends on
+- **InventoryVersion** The version of the inventory file generating the events
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+
+The following fields are available:
+
+- **IndicatorValue** The indicator value
+- **Value** Describes an operating system indicator that may be relevant for the device upgrade.
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+
+The following fields are available:
+
+- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (ARP, MSI, Appx, etc...)
+- **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp.
+- **Type** "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
+- **Version** The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Class** The class name for the device driver.
+- **ClassGuid** The class GUID for the device driver.
+- **Date** The driver package date.
+- **Directory** The path to the driver package.
+- **DriverInBox** Is the driver included with the operating system?
+- **Inf** The INF name of the driver package.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Provider** The provider for the driver package.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **Version** The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod** The discovery method for the device container.
+- **FriendlyName** The name of the device container.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer** Is the container the root device itself?
+- **IsNetworked** Is this a networked device?
+- **IsPaired** Does the device container require pairing?
+- **Manufacturer** The manufacturer name for the device container.
+- **ModelId** A model GUID.
+- **ModelName** The model name.
+- **ModelNumber** The model number for the device container.
+- **PrimaryCategory** The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+The following fields are available:
+
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a PNP device and its associated driver
+
+The following fields are available:
+
+- **class** The device setup class of the driver loaded for the device
+- **classGuid** The device class GUID from the driver package
+- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device.
+- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
+- **description** The device description
+- **deviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverId** A unique identifier for the installed device.
+- **DriverName** The name of the driver image file.
+- **driverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **driverVerDate** The date of the driver loaded for the device
+- **driverVerVersion** The version of the driver loaded for the device
+- **enumerator** The bus that enumerated the device
+- **HWID** A JSON array that provides the value and order of the HWID tree for the device.
+- **Inf** The INF file name.
+- **installState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** The version of the inventory file generating the events.
+- **lowerClassFilters** Lower filter class drivers IDs installed for the device.
+- **lowerFilters** Lower filter drivers IDs installed for the device
+- **manufacturer** The device manufacturer
+- **matchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance
+- **model** The device model
+- **parentId** Device instance id of the parent of the device
+- **ProblemCode** The current error code for the device.
+- **provider** The device provider
+- **service** The device service name#N##N##N##N##N#
+- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device.
+- **upperClassFilters** Upper filter class drivers IDs installed for the device
+- **upperFilters** Upper filter drivers IDs installed for the device
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system
+
+The following fields are available:
+
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverCompany** The company name that developed the driver.
+- **driverInBox** Is the driver included with the operating system?
+- **driverIsKernelMode** Is it a kernel mode driver?
+- **DriverName** The file name of the driver.
+- **driverPackageStrongName** The strong name of the driver package
+- **driverSigned** The strong name of the driver package
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Inf** The name of the INF file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **service** The device service name
+- **WdfVersion** The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicator
+
+This event sends value data about the markers on custom devices, to help keep Windows up to date. The formal name for markers is UEX Indicators. See marker list for definitions.
+
+The following fields are available:
+
+- **IndicatorValue** Value of the marker/indicator
+- **Key** Name of the marker/indicator
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv** The version of the App inventory component.
+- **devinv** The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+
+The following fields are available:
+
+- **Device** A count of device objects in cache
+- **DeviceCensus** A count of devicecensus objects in cache
+- **DriverPackageExtended** A count of driverpackageextended objects in cache
+- **File** A count of file objects in cache
+- **FileSigningInfo** A count of file signing info objects in cache.
+- **Generic** A count of generic objects in cache
+- **HwItem** A count of hwitem objects in cache
+- **InventoryApplication** A count of application objects in cache
+- **InventoryApplicationFile** A count of application file objects in cache
+- **InventoryDeviceContainer** A count of device container objects in cache
+- **InventoryDeviceInterface** A count of inventory device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache
+- **InventoryDevicePnp** A count of devicepnp objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache
+- **InventoryDriverPackage** A count of device objects in cache
+- **Metadata** A count of metadata objects in cache
+- **Orphan** A count of orphan file objects in cache
+- **Programs** A count of program objects in cache
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+The following fields are available:
+
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+
+There are no fields in this event.
+
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
+
+This event determines the status of the OneDrive integration with Microsoft Office.
+
+The following fields are available:
+
+- **isValid** Is the Microsoft Office registration valid?
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
+
+This event determines status of the update tier registry values.
+
+The following fields are available:
+
+- **regReadEnterpriseHr** The HResult of the enterprise reg read value.
+- **regReadTeamHr** The HResult of the team reg read value.
+
+
+### Microsoft.OneDrive.Sync.Updater.RepairResult
+
+The event determines the result of the installation repair.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
+
+This event indicates the status when downloading the OneDrive setup file.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event determines the outcome of the operation.
+
+The following fields are available:
+
+- **hr** The HResult of the operation.
+- **IsLoggingEnabled** Is logging enabled?
+- **UpdaterVersion** The version of the updater.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError** The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system.
+- **SixtyFourBit** The status of the OneDrive overlay icon on a 32-bit operating system.
+- **ThirtyTwoBit** The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event determines the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName** The name of the dependent component.
+- **isInstalled** Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.CommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion** The version of the app.
+- **BuildArch** Is the architecture x86 or x64?
+- **Environment** Is the device on the production or int service?
+- **IsMSFTInternal** Is this an internal Microsoft device?
+- **MachineGuid** The CEIP machine ID.
+- **Market** Which market is this in?
+- **OfficeVersion** The version of Office that is installed.
+- **OneDriveDeviceId** The OneDrive device ID.
+- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
+- **OSUserName** Only if the device is internal to Microsoft, the user name.
+- **UserGuid** A unique global user identifier.
+
+
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **Duration** How long the operation took.
+- **IsSuccess** Was the operation successful?
+- **ResultCode** The result code.
+- **ScenarioName** The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
+
+This event is related to registering or unregistering the OneDrive update task.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **IsSuccess** Was the operation successful?
+- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation.
+- **ScenarioName** The name of the scenario.
+- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation.
+
+
+### Microsoft.OneDrive.Sync.Setup.EndExperience
+
+This event includes a success or failure summary of the installation.
+
+The following fields are available:
+
+- **APIName** The name of the API.
+- **HResult** Indicates the result code of the event
+- **IsSuccess** Was the operation successful?
+- **ScenarioName** The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **CurrentOneDriveVersion** The current version of OneDrive.
+- **CurrentOSBuildBranch** The current branch of the operating system.
+- **CurrentOSBuildNumber** The current build number of the operating system.
+- **CurrentOSVersion** The current version of the operating system.
+- **HResult** The HResult of the operation.
+- **SourceOSBuildBranch** The source branch of the operating system.
+- **SourceOSBuildNumber** The source build number of the operating system.
+- **SourceOSVersion** The source version of the operating system.
+
+
+### Microsoft.OneDrive.Sync.Setup.SetupCommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion** The version of the app.
+- **BuildArchitecture** Is the architecture x86 or x64?
+- **Environment** Is the device on the production or int service?
+- **MachineGuid** The CEIP machine ID.
+- **Market** Which market is this in?
+- **MSFTInternal** Is this an internal Microsoft device?
+- **OfficeVersionString** The version of Office that is installed.
+- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
+- **OSUserName** Only if the device is internal to Microsoft, the user name.
+- **UserGuid** The CEIP user ID.
+
+
+## Setup events
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+"This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. "
+
+The following fields are available:
+
+- **Name** The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up-to-date
+
+The following fields are available:
+
+- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event
+- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **value** Value associated with the corresponding event name. For example, time-related events will include the system time
+
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
+
+The following fields are available:
+
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+
+
+## Shared PC events
+
+### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
+
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
+
+The following fields are available:
+
+- **accountType** The type of account that was deleted. Example: AD, AAD, or Local
+- **userSid** The security identifier of the account.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+
+
+### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
+
+Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates
+
+The following fields are available:
+
+- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
+- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
+- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Windows Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **WUDeviceID** The unique device ID controlled by the software distribution client
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+
+
+### SoftwareUpdateClientTelemetry.SLSDiscovery
+
+This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
+- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
+- **NextExpirationTime** Indicates when the SLS cab expires
+- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **SusClientId** The unique device ID controlled by the software distribution client
+- **UrlPath** Path to the SLS cab that was downloaded
+- **WUAVersion** The version number of the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **ClientVersion** The version number of the software distribution client.
+- **DeviceModel** What is the device model.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** State of call
+- **EventType** "Possible values are ""Child"", ""Bundle"", or ""Driver""."
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber** Unique revision number of Update
+- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **UpdateId** Unique Update ID
+- **WUDeviceID** UniqueDeviceID
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **FlightId** The specific id of the flight the device is getting
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
+
+The following fields are available:
+
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId** A hash that uniquely identifies a file
+- **FileName** Name of the downloaded file
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **EventType** "Possible values are ""Child"", ""Bundle"", ""Relase"" or ""Driver"""
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **FlightId** The unique identifier for each flight
+- **RevisionNumber** Unique revision number of Update
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **UpdateId** Unique Update ID
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
+
+The following fields are available:
+
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode** The secondary status code of the event.
+- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **RevisionId** The revision ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **StatusCode** The status code of the event.
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId** The update ID for a specific piece of content.
+- **TimestampTokenCertThumbprint** "The thumbprint of the encoded timestamp token. "
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **ClientVersion** The version number of the software distribution client.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeviceModel** What is the device model.
+- **DeviceOEM** What OEM does this device belong to.
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **Edition** Indicates the edition of Windows being used.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId** The specific id of the flight (pre-release build) the device is getting.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **HostName** The hostname URL the content is downloading from.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **IsAOACDevice** Is it Always On, Always Connected?
+- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus** "More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be ""metered."""
+- **PackageFullName** The package name of the content.
+- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **PlatformRole** The PowerPlatformRole as defined on MSDN
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting** Indicates the users' current updating settings.
+
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+
+The following fields are available:
+
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion** The version number of the software distribution client.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeviceModel** What is the device model.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle?
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Was the download a full download or a partial download?
+- **ClientManagedByWSUSServer** Is the client managed by Windows Server Update Services (WSUS)?
+- **ClientVersion** The version number of the software distribution client.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **CurrentMobileOperator** Mobile operator that device is currently connected to.
+- **DeviceModel** What is the device model.
+- **DeviceOEM** What OEM does this device belong to.
+- **DownloadPriority** The priority of the download activity.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **Edition** Indicates the edition of Windows being used.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause** Are feature OS updates paused on the device?
+- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model)
+- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
+- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
+- **IsFirmware** Is this update a firmware update?
+- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
+- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
+- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
+- **MergedUpdate** Was the OS update and a BSP update merged for installation?
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content being installed.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **PlatformRole** The PowerPlatformRole as defined on MSDN.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
+- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
+- **RevisionNumber** The revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** The ID which represents a given MSI installation
+- **UpdateId** Unique update ID
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting** Indicates the user's current updating settings.
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+
+The following fields are available:
+
+- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
+- **BytesTotal** Total bytes to transfer for this content
+- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
+- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError** Last (transient) error encountered by the active download
+- **DownloadFlags** Flags indicating if power state is ignored
+- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
+- **IsNetworkMetered** "Indicates whether Windows considered the current network to be ?metered"""
+- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV** "The previous correlation vector that was used by the client, before swapping with a new one "
+- **ResumeCount** Number of times this active download has resumed from a suspended state
+- **ServiceID** "Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) "
+- **SuspendCount** Number of times this active download has entered a suspended state
+- **SuspendReason** Last reason for why this active download entered a suspended state
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **EventType** "Possible values are ""Child"", ""Bundle"", or ""Driver"""
+- **FlightId** The unique identifier for each flight
+- **RevisionNumber** Identifies the revision number of this specific piece of content
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **UpdateId** "Identifier associated with the specific piece of content "
+- **WUDeviceID** "Unique device id controlled by the software distribution client "
+
+
+## Update events
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current post reboot phase
+- **FlightId** The unique identifier for each flight
+- **ObjectId** Unique value for each Update Agent mode
+- **RelatedCV** Correlation vector value generated from the latest USO scan
+- **Result** Indicates the Hresult
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt
+- **UpdateId** Unique ID for each update
+- **PostRebootResult** Indicates the Hresult
+
+
+### Update360Telemetry.UpdateAgent_Initialize
+
+This event sends data during the initialize phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current initialize phase.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each Update Agent mode attempt .
+- **UpdateId** Unique ID for each update.
+- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+
+
+### Update360Telemetry.UpdateAgent_DownloadRequest
+
+This event sends data during the download request phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current download request phase.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PackageCountOptional** Number of optional packages requested.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountTotal** Total number of packages needed.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **PackageSizeCanonical** Size of canonical packages in bytes
+- **PackageSizeDiff** Size of diff packages in bytes
+- **PackageSizeExpress** Size of express packages in bytes
+- **Result** Result of the download request phase of update.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **RangeRequestState** Represents the state of the download range request.
+
+
+### Update360Telemetry.UpdateAgent_Install
+
+This event sends data during the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **Result** "Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled "
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_ModeStart
+
+This event sends data for the start of each mode during the process of updating Windows.
+
+The following fields are available:
+
+- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** The correlation vector value generated from the latest scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+
+This event sends data during the launching of the setup box when updating Windows.
+
+The following fields are available:
+
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **FlightId** Unique ID for each flight.
+- **UpdateId** Unique ID for each update.
+- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **SandboxSize** The size of the sandbox folder on the device.
+
+
+## Update notification events
+
+### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
+
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign
+- **CampaignID** Currently campaign that's running on UNP
+- **ConfigCatalogVersion** Current catalog version of UNP
+- **ContentVersion** Content version for the current campaign on UNP
+- **CV** Correlation vector
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **key1** Interaction data for the UI
+- **key10** Interaction data for the UI
+- **key11** Interaction data for the UI
+- **key12** Interaction data for the UI
+- **key13** Interaction data for the UI
+- **key14** Interaction data for the UI
+- **key15** Interaction data for the UI
+- **key16** Interaction data for the UI
+- **key17** Interaction data for the UI
+- **key18** Interaction data for the UI
+- **key19** Interaction data for the UI
+- **key2** Interaction data for the UI
+- **key20** Interaction data for the UI
+- **key21** Interaction data for the UI
+- **key22** Interaction data for the UI
+- **key23** Interaction data for the UI
+- **key24** Interaction data for the UI
+- **key25** Interaction data for the UI
+- **key26** Interaction data for the UI
+- **key27** Interaction data for the UI
+- **key28** Interaction data for the UI
+- **key29** Interaction data for the UI
+- **key3** Interaction data for the UI
+- **key30** Interaction data for the UI
+- **key4** Interaction data for the UI
+- **key5** Interaction data for the UI
+- **key6** Interaction data for the UI
+- **key7** Interaction data for the UI
+- **key8** Interaction data for the UI
+- **key9** Interaction data for the UI
+- **PackageVersion** Current package version of UNP
+- **schema** Type of UI interaction
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
+
+This event is sent at the start of each campaign, to be used as a heartbeat
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign
+- **CampaignID** Currently campaign that's running on UNP
+- **ConfigCatalogVersion** Current catalog version of UNP
+- **ContentVersion** Content version for the current campaign on UNP
+- **CV** Correlation vector
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion** Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
+
+This event indicates that the Campaign Manager is cleaning up the campaign content
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign
+- **CampaignID** Current campaign that's running on UNP
+- **ConfigCatalogVersion** Current catalog version of UNP
+- **ContentVersion** Content version for the current campaign on UNP
+- **CV** Correlation vector
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion** Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
+
+This event is sent when a campaign completion status query fails
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign
+- **CampaignID** Current campaign that's running on UNP
+- **ConfigCatalogVersion** Current catalog version of UNP
+- **ContentVersion** Content version for the current campaign on UNP
+- **CV** Correlation vector
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **hresult** HRESULT of the failure
+- **PackageVersion** Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign
+- **CampaignID** Currently campaign that's running on UNP
+- **ConfigCatalogVersion** Current catalog version of UNP
+- **ContentVersion** Content version for the current campaign on UNP
+- **CV** Correlation vector
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion** Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
+
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign
+- **CampaignID** Currently campaign that's running on UNP
+- **ConfigCatalogVersion** Current catalog version of UNP
+- **ContentVersion** Content version for the current campaign on UNP
+- **CV** Correlation vector
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **hresult** HRESULT of the failure#N#
+- **PackageVersion** Current UNP package version
+
+
+## Upgrade events
+
+### Setup360Telemetry.PreDownloadUX
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT)
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FieldName** Retrieves the data point.
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **ReportId** Retrieves the report ID.
+- **ScenarioId** Retrieves the deployment scenario.
+- **Value** Retrieves the value associated with the corresponding FieldName.
+- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+This event provides the results from the WaaSMedic engine
+
+The following fields are available:
+
+- **detectionSummary** Result of each detection that ran
+- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates
+- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
+- **isManaged** Indicates the device is managed for updates
+- **isWUConnected** Indicates the device is connected to Windows Update
+- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
+- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
+- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client#N#
+- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client#N#
+- **versionString** Installed version of the WaaSMedic engine
+- **hrEngineResult** Indicates the WaaSMedic engine operation error codes
+
+
+### Microsoft.Windows.WaaSMedic.Summary
+
+This event provides the results of the WaaSMedic diagnostic run
+
+The following fields are available:
+
+- **detectionSummary** Result of each detection that ran
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
+- **versionString** Installed version of the WaaSMedic engine
+- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates
+- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
+- **isManaged** Indicates the device is managed for updates
+- **isWUConnected** Indicates the device is connected to Windows Update
+- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
+- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates
+- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
+- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId** Uint32 identifying the boot number for this device.
+- **BugCheckCode** "Uint64 ""bugcheck code"" that identifies a proximate cause of the bug check."
+- **BugCheckParameter1** Uint64 parameter providing additional information.
+- **BugCheckParameter2** Uint64 parameter providing additional information.
+- **BugCheckParameter3** Uint64 parameter providing additional information.
+- **BugCheckParameter4** Uint64 parameter providing additional information.
+- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+- **DumpFileSize** Size of the dump file
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The Item Bundle ID.
+- **CategoryId** The Item Category ID.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IntentPFNs** Intent Product Family Name
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Was this a mandatory update?
+- **IsRemediation** Was this a remediation install?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Flag indicating if this is an update.
+- **IsWin32** Flag indicating if this is a Win32 app (not used).
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The product family name of the product being installed.
+- **ProductId** The identity of the package or packages being installed.
+- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
+- **UpdateId** Update ID (if this is an update)
+- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
+- **WUContentId** The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **BundleId** The bundle ID
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **IntentPFNs** Intent Product Family Name
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
+- **IsWin32** Flag indicating if this is a Win32app.
+- **ParentBundledId** The product's parent bundle ID.
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UpdateId** The update ID (if this is an update)
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IntentPFNs** Intent Product Family Name
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **IsWin32** Flag indicating if this is a Win32 app (unused).
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UpdateId** Update ID (if this is an update)
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
+- **HResult** The result code of the last action performed.
+- **IntentPFNs** Intent Product Family Name
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this an interactive installation?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **IsWin32** Flag indicating if this a Win32 app (unused).
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UpdateId** Update ID (if this is an update)
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **IsOnline** Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IntentPFNs** The licensing identity of this package.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsWin32** Flag indicating if this a Win32 app (unused).
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UpdateId** Update ID (if this is an update)
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **WUContentId** The Windows Update content ID
+- **IntentPFNs** The licensing identity of this package.
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The Product Full Name.
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID
+- **IntentPFNs** The licensing identity of this package.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID
+- **IntentPFNs** Intent Product Family Name
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **HResult** The result code of the last action performed before this operation.
+- **IsUserRetry** Did the user initiate the retry?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN** The name of the product that is requested for update.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber** Total number of installation attempts.
+- **BundleId** The identity of the Windows Insider build that is associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this an automatic restore of a previously acquired product?
+- **IsUpdate** Is this a product update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of all packages to be downloaded and installed.
+- **PreviousHResult** The previous HResult code.
+- **PreviousInstallState** Previous installation state before it was canceled.
+- **ProductId** The name of the package or packages requested for installation.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
+- **WUContentId** The Windows Update content ID
+- **IntentPFNs** Intent Product Family Name
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specfic edition of the app being updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+
+The following fields are available:
+
+- **CatalogId** The Store Product ID of the app being installed.
+- **HResult** HResult code of the action being performed.
+- **IsBundle** Is this a bundle?
+- **PackageFamilyName** The name of the package being installed.
+- **ProductId** The Store Product ID of the product being installed.
+- **SkuId** Specific edition of the item being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+
+The following fields are available:
+
+- **FailedRetry** Was the installation or update retry successful?
+- **HResult** The HResult code of the operation.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+
+The following fields are available:
+
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **bytesRequested** The total number of bytes requested for download.
+- **cdnConnectionCount** The total number of connections made to the CDN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp** The IP address of the source CDN.
+- **clientTelId** A random number used for device sampling.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **downloadMode** The download mode used for this file download session.
+- **fileID** The ID of the file being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **numPeers** The total number of peers used for this download.
+- **restrictedUpload** Is the upload restricted?
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the download session.
+- **totalTimeMs** Duration of the download (in seconds).
+- **updateID** The ID of the update being downloaded.
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **usedMemoryStream** Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **clientTelId** A random number used for device sampling.
+- **errorCode** The error code that was returned.
+- **fileID** The ID of the file being paused.
+- **reasonCode** The reason for pausing the download.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the download session.
+- **updateID** The ID of the update being paused.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn** Is the device connected to a Virtual Private Network?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.JobError
+
+This event represents a Windows Update job error. It allows for investigation of top errors.
+
+The following fields are available:
+
+- **clientTelId** A random number used for device sampling.
+- **errorCode** The error code returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **jobID** The Windows Update job ID.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Is the download being done in the background?
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **clientTelId** A random number used for device sampling.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the file download session.
+- **updateID** The ID of the update being downloaded.
+- **usedMemoryStream** Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Is the download a background download?
+- **cdnUrl** The URL of the CDN.
+- **clientTelId** A random number used for device sampling.
+- **deviceProfile** Identifies the usage or form factor. Example: Desktop or Xbox
+- **diceRoll** The dice roll value used in sampling events.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **downloadMode** The download mode used for this file download session.
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path where the file will be written.
+- **groupID** ID for the group.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** The ID of the Windows Update job.
+- **minDiskSizeGB** The minimum disk size (in GB) required for Peering.
+- **minDiskSizePolicyEnforced** Is the minimum disk size enforced via policy?
+- **minFileSizePolicy** The minimum content file size policy to allow the download using Peering.
+- **peerID** The ID for this Delivery Optimization client.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the download session.
+- **updateID** The ID of the update being downloaded.
+- **usedMemoryStream** Did the download use memory streaming?
+- **costFlags** A set of flags representing network cost.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **clientTelId** A random number used for device sampling.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **sessionID** The ID of the download session.
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **flightId** The unique identifier for each flight
+- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **objectId** Unique value for each Update Agent mode
+- **relatedCV** Correlation vector value generated from the latest scan
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId** Unique value for each Update Agent mode attempt
+- **updateId** Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current initialize phase
+- **flightId** The unique identifier for each flight
+- **flightMetadata** Contains the FlightId and the build being flighted
+- **objectId** Unique value for each Update Agent mode
+- **relatedCV** Correlation vector value generated from the latest USO scan
+- **result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate#N#
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
+- **sessionId** "Unique value for each Update Agent mode attempt "
+- **updateId** Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
+
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization
+- **flightId** The unique identifier for each flight
+- **objectId** The unique GUID for each diagnostics session
+- **relatedCV** A correlation vector value, generated from the latest USO scan
+- **result** Outcome of the initialization of the session
+- **scenarioId** Identifies the Update scenario
+- **sessionId** The unique value for each update session
+- **updateId** The unique identifier for each Update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current install phase
+- **flightId** The unique identifier for each flight
+- **objectId** Unique value for each Update Agent mode
+- **relatedCV** Correlation vector value generated from the latest scan
+- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId** Unique value for each Update Agent mode attempt
+- **updateId** Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted
+- **errorCode** The error code returned for the current session initialization
+- **flightId** The unique identifier for each flight
+- **objectId** Unique value for each Update Agent mode
+- **packageCountOptional** Number of optional packages requested
+- **packageCountRequired** Number of required packages requested
+- **packageCountTotal** Total number of packages needed
+- **packageCountTotalCanonical** Total number of canonical packages
+- **packageCountTotalDiff** Total number of diff packages
+- **packageCountTotalExpress** Total number of express packages
+- **packageSizeCanonical** Size of canonical packages in bytes
+- **packageSizeDiff** Size of diff packages in bytes
+- **packageSizeExpress** Size of express packages in bytes
+- **rangeRequestState** Represents the state of the download range request
+- **relatedCV** Correlation vector value generated from the latest USO scan
+- **result** Result of the download request phase of update
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId** Unique value for each Update Agent mode attempt
+- **updateId** Unique ID for each update
+
+
+### Microsoft.Windows.Update.Orchestrator.GameActive
+
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
+
+The following fields are available:
+
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
+
+This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigrationDurationInMilliseconds** How long the DMF migration took (in milliseconds)
+- **MigrationEndTime** A system timestamp of when the DMF migration completed.
+- **RevisionNumbers** A collection of revision numbers for the updates associated with the DMF session.
+- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session.
+- **WuClientId** The GUID of the Windows Update client responsible for triggering the DMF migration
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
+
+This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigrationMicrosoftPhases** Revision numbers for the updates that were installed.
+- **MigrationOEMPhases** WU Update IDs for the updates that were installed.
+- **MigrationStartTime** The timestamp representing the beginning of the DMF migration
+- **WuClientId** The GUID of the Windows Update client invoking DMF
+- **RevisionNumbers** A collection of the revision numbers associated with the UpdateIds.
+- **UpdateIds** A collection of GUIDs identifying the upgrades that are running.
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
+
+This event sends DMF migrator data to help keep Windows up to date.
+
+The following fields are available:
+
+- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
+- **ErrorCode** The result (as an HRESULT) of the migrator that just completed.
+- **MigratorId** A GUID identifying the migrator that just completed.
+- **MigratorName** The name of the migrator that just completed.
+- **RunDurationInSeconds** The time it took for the migrator to complete.
+- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
+
+
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows up to date.
+
+The following fields are available:
+
+- **deferReason** Reason for download not completing
+- **detectionDeferreason** Reason for download not completing
+- **errorCode** An error code represented as a hexadecimal value
+- **eventScenario** End to end update session ID.
+- **flightID** Unique update ID.
+- **interactive** Identifies if session is user initiated.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventPublishedTime** time that the event was generated
+- **revisionNumber** Revision Number of the Update
+- **updateId** Unique Update ID
+- **UpdateStatus** Integer that describes Update state
+- **wuDeviceid** Unique Device ID
+- **flightID** Unique Update ID
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.PostInstall
+
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **bundleId** Update grouping ID.
+- **bundleRevisionnumber** Bundle revision number.
+- **errorCode** Hex code for the error message, to allow lookup of the specific error.
+- **eventScenario** End to end update session ID.
+- **flightID** Unique update ID.
+- **sessionType** Interactive vs. Background.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **deferReason** Reason for install not completing.
+- **EventPublishedTime** The time that the reboot failure occurred.
+- **flightID** Unique update ID.
+- **installRebootDeferreason** Reason for reboot not occurring.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount** Policy Count
+- **policiesNamevaluesource** Policy Name
+- **policyCacherefreshtime** Refresh time
+- **updateInstalluxsetting** This shows whether a user has set policies via UX option
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
+
+This event sends data about whether an update required a reboot to help keep Windows up to date.
+
+The following fields are available:
+
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID.
+- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise.
+- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **revisionNumber** Revision number of the update that is getting installed with this reboot.
+- **scheduledRebootTime** Time of the scheduled reboot
+- **updateId** Update ID of the update that is getting installed with this reboot.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **rebootState** The state of the reboot.
+
+
+### Microsoft.Windows.Update.Orchestrator.Detection
+
+This event sends launch data for a Windows Update scan to help keep Windows up to date.
+
+The following fields are available:
+
+- **deferReason** Reason why the device could not check for updates.
+- **detectionBlockreason** Reason for detection not completing.
+- **detectionDeferreason** A log of deferral reasons for every update state.
+- **errorCode** The returned error code.
+- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID** A unique update ID.
+- **interactive** Identifies if session is User Initiated.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventPublishedTime** Time of the event.
+- **revisionNumber** Revision number of the update.
+- **updateId** Update ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** Unique update ID
+- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **activeHoursApplicable** Is the restart respecting Active Hours?
+- **rebootArgument** The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState** The state of the restart.
+- **revisionNumber** The revision number of the OS being updated.
+- **scheduledRebootTime** Time of the scheduled reboot
+- **updateId** The Windows Update device GUID.
+- **wuDeviceid** The Windows Update device GUID.
+- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
+
+This event is sent when a security update has successfully completed.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time that the restart was no longer needed.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+
+This event is sent when a toast notification is shown to the user about scheduling a device restart.
+
+The following fields are available:
+
+- **UtcTime** The Coordinated Universal Time when the toast notification was shown.
+
+
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskRestoredTime** Time at which this reboot task was restored.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **wuDeviceid** Device id on which the reboot is restored
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario** End to end update session ID.
+- **revisionNumber** Update revision number.
+- **systemNeededReason** Reason ID
+- **updateId** Update ID.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
+
+This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BspVersion** The version of the BSP.
+- **CallerApplicationName** The name of the USS scheduled task. Example UssScheduled or UssBoot
+- **ClientVersion** The version of the client.
+- **CommercializationOperator** The name of the operator.
+- **DetectionVersion** The string returned from the GetDetectionVersion export of the downloaded detection DLL.
+- **DeviceName** The name of the device.
+- **EventInstanceID** The USS session ID.
+- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded
+- **OemName** The name of the manufacturer.
+- **ServiceGuid** The GUID of the service.
+- **StatusCode** The HRESULT code of the operation.
+- **WUDeviceID** The Windows Update device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This events tracks when a device needs to restart after an update but did not.
+
+The following fields are available:
+
+- **errorCode** The error code that was returned.
+- **wuDeviceid** The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **deferReason** Reason for install not completing.
+- **eventScenario** End to end update session ID.
+- **interactive** Identifies if session is user initiated.
+- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightUpdate** Flight update
+- **installRebootinitiatetime** The time it took for a reboot to be attempted.
+- **minutesToCommit** The time it took to install updates.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **errorCode** The error code reppresented by a hexadecimal value.
+- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
+- **flightID** Unique update ID
+- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType** The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated right before the shutdown and commit operations
+
+The following fields are available:
+
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+This event indicates that a restart required for installing updates was postponed
+
+The following fields are available:
+
+- **filteredDeferReason** Indicates the raised, but ignorable, reasons that the USO didn't restart (for example, user active or low battery)
+- **raisedDeferReason** Indicates the reason that the USO didn't restart. For example, user active or low battery
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+
+
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
+
+Reboot postponed due to needing a display
+
+The following fields are available:
+
+- **displayNeededReason** Reason the display is needed
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
+- **revisionNumber** Revision number of the update
+- **updateId** Update ID
+- **updateScenarioType** The update session type
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
+
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
+
+The following fields are available:
+
+- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action
+- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
+- **rebootState** The state of the reboot
+- **revisionNumber** Revision number of the update that is getting installed with this reboot
+- **scheduledRebootTime** Time of the scheduled reboot
+- **updateId** ID of the update that is getting installed with this reboot
+- **wuDeviceid** Unique device ID used by Windows Update
+- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time
\ No newline at end of file
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index a3cedc09a0..f2d6cf6527 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -8,25 +8,45 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
-ms.date: 09/25/2017
+ms.date: 10/20/2017
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## October 2017
+
+New or changed topic | Description
+--- | ---
+[Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access | Removed **Guidelines for using Remote Desktop app**; the behavior for Remote Desktop has changed so that it's no longer necessary to turn off **Start connections in full screen** for assigned access.
+
+
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topics have been added:
+
+- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
+- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+- [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](EventName.md)
+
+
## September 2017
|New or changed topic | Description|
|--- | ---|
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|New conceptual info about Windows 10 and the upcoming GDPR-compliance requirements.|
|[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy. |
+
+
## August 2017
|New or changed topic | Description|
|--- | ---|
|[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN. |
+
## July 2017
| New or changed topic | Description |
| --- | --- |
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 0d49be3b9d..4918e14ecb 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -300,4 +300,4 @@ The resulting taskbar for computers in any other country region:
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=configure-windows-10-taskbar.md).
diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md
index cca1fc3f33..8dd61480ff 100644
--- a/windows/configuration/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md
@@ -16,7 +16,7 @@ author: brianlic-msft
- Windows 10
- Windows 10 Mobile
-- Windows Server 2016
+- Windows Server
At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
@@ -27,15 +27,15 @@ To frame a discussion about telemetry, it is important to understand Microsoft
- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers.
+- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
-Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
+Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=configure-windows-telemetry-in-your-organization.md).
## Overview
@@ -85,7 +85,8 @@ Windows and Windows Server telemetry gives every user a voice in the operating s
Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+#### Real-world example of how Windows telemetry helps
+There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
@@ -130,7 +131,7 @@ Windows 10 and Windows Server 2016 includes the Connected User Experience and Te
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
-3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
+3. You can configure the telemetry level by using MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits the telemetry data.
Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
@@ -154,16 +155,14 @@ The following table defines the endpoints for telemetry services:
### Data use and access
-The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
-Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
+Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
## Telemetry levels
-
-
-This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
+This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
The telemetry data is categorized into four levels:
@@ -188,8 +187,6 @@ The Security level gathers only the telemetry info that is required to keep Wind
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
-
-
The data gathered at this level includes:
- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
@@ -199,16 +196,12 @@ The data gathered at this level includes:
> [!NOTE]
> You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
-
-
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
- > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
+ > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
-
-
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
@@ -216,7 +209,7 @@ No user content, such as user files or communications, is gathered at the **Secu
### Basic level
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
@@ -279,11 +272,40 @@ The data gathered at this level includes:
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
-If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+
+#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics
+Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
+
+In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
+
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/eventname) topic.
+
+- **Some crash dump types.** All crash dump types, except for heap and full dumps.
+
+**To turn on this behavior for devices**
+
+1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
+
+ a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
+
+ -OR-
+
+ b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
+
+ -AND-
+
+2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
+
+ a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
+
+ -OR-
+
+ b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
### Full level
-The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
+The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
@@ -301,7 +323,7 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
-Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
+Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that.
@@ -347,7 +369,7 @@ Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/
### Use Registry Editor to set the telemetry level
-Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 7630406f0d..1475e42e38 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 61bf864982..acf462f7e1 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Send feedback about Cortana at work back to Microsoft
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index bffa8f1644..554f55e3eb 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test Cortana with Office 365 in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 2a3d087da8..e492f9e0bd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Cortana integration in your business or enterprise
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 5dd38b8ec8..ff0dbc4457 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 1eef8c58d2..3859197f3d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test Cortana for Power BI in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 3d96f92396..c319ce2fc7 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index d51d5c4c88..43fcd17368 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 2 - Perform a quick search with Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index b04d11d615..9813519fad 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 3 - Set a reminder for a specific location using Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index df57f9ca9d..dd43c46b35 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 4 - Use Cortana at work to find your upcoming meetings
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 8306c2143a..ccc50a9ebe 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 5 - Use Cortana to send email to a co-worker
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 1274f67445..c553334d54 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 051d96937f..6b2b437b4e 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 070192c8e0..2fa3e6637d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Testing scenarios using Cortana in your business or organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 0738115be9..2f73ac7fb5 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test custom voice commands in Cortana for your organization
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 2d87c06e2e..b7631a4285 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -170,7 +170,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=customize-and-export-start-layout.md).
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index d910aee65f..7c62a1cfd4 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 10/05/2017
---
# Customize Windows 10 Start and taskbar with Group Policy
@@ -128,7 +130,7 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=customize-windows-10-start-screens-by-using-group-policy.md).
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index c4a13cef3a..18f215ad22 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -100,7 +100,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 963f69e6ae..2a03f2bf72 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.author: jdecker
-ms.date: 06/29/2017
+ms.date: 10/20/2017
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@@ -31,11 +31,7 @@ The following guidelines may help you choose an appropriate Windows app for your
- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) cannot be used as kiosk apps.
-## Guidelines for using Remote Desktop app
-Kiosk apps open in full screen. When you assign [Remote Desktop](https://www.microsoft.com/store/apps/9wzdncrfj3ps) as the kiosk app, make sure the **Start connections in full screen** setting in the Remote Desktop app is set to **Off**.
-
-
## Guidelines for Windows apps that launch other apps
diff --git a/windows/configuration/images/multiappassignedaccesssettings.png b/windows/configuration/images/multiappassignedaccesssettings.png
new file mode 100644
index 0000000000..86e2e0a451
Binary files /dev/null and b/windows/configuration/images/multiappassignedaccesssettings.png differ
diff --git a/windows/configuration/images/profile-config.png b/windows/configuration/images/profile-config.png
new file mode 100644
index 0000000000..30a7468dcf
Binary files /dev/null and b/windows/configuration/images/profile-config.png differ
diff --git a/windows/configuration/images/sample-start.png b/windows/configuration/images/sample-start.png
new file mode 100644
index 0000000000..8ef9cc928c
Binary files /dev/null and b/windows/configuration/images/sample-start.png differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 93aa72ed2a..d3e9db3364 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -19,8 +19,10 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
-| [Basic level Windows diagnostic data](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
-| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. |
+| [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. |
+|[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](EventName.md)|Learn about diagnostic data that is collected by Windows Analytics.|
+| [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. |
+| [Windows 10 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703 and later. |
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
index 21d8d0d394..420e550a78 100644
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -20,4 +20,4 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
-| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
+| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
new file mode 100644
index 0000000000..d4422e7212
--- /dev/null
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -0,0 +1,121 @@
+---
+title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10)
+description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 10/05/2017
+ms.author: jdecker
+---
+
+# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
+
+
+**Applies to**
+
+- Windows 10
+
+Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
+
+>[!NOTE]
+>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
+
+You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
+
+AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
+
+This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
+
+
+
+## Install apps
+
+
+First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+
+## Use AppLocker to set rules for apps
+
+
+After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
+
+1. Run Local Security Policy (secpol.msc) as an administrator.
+
+2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
+
+ 
+
+3. Check **Configured** under **Executable rules**, and then click **OK**.
+
+4. Right-click **Executable Rules** and then click **Automatically generate rules**.
+
+ 
+
+5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
+
+6. Type a name to identify this set of rules, and then click **Next**.
+
+7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
+
+8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
+
+9. Read the message and click **Yes**.
+
+ 
+
+10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
+
+11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
+
+12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
+
+ ``` syntax
+ sc config appidsvc start=auto
+ ```
+
+13. Restart the device.
+
+## Other settings to lock down
+
+
+In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
+
+- Remove **All apps**.
+
+ Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
+
+- Hide **Ease of access** feature on the logon screen.
+
+ Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+
+- Disable the hardware power button.
+
+ Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+- Disable the camera.
+
+ Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+
+- Turn off app notifications on the lock screen.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+- Disable removable media.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+ **Note**
+ To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+
+
+To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
+
+## Customize Start screen layout for the device (recommended)
+
+
+Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
\ No newline at end of file
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 445d25bf22..cb4884a6d9 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,6 +1,6 @@
---
-title: Lock down Windows 10 to specific apps (Windows 10)
-description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
+title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
+description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@@ -9,120 +9,605 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
+ms.date: 10/05/2017
+ms.author: jdecker
---
-# Lock down Windows 10 to specific apps
+# Create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
-Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
+>[!NOTE]
+>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
-You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
+The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
-AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
-
-This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
-
-
-
-## Install apps
+>[!WARNING]
+>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
-First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+Process:
+1. [Create XML file](#create-xml-file)
+2. [Add XML file to provisioning package](#add-xml)
+3. [Apply provisioning package to device](#apply-ppkg)
-## Use AppLocker to set rules for apps
+If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
+
+## Prerequisites
+
+- Windows Configuration Designer (Windows 10, version 1709)
+- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
-After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
+## Create XML file
-1. Run Local Security Policy (secpol.msc) as an administrator.
+Let's start by looking at the basic structure of the XML file.
-2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
+- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- 
+- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
-3. Check **Configured** under **Executable rules**, and then click **OK**.
+- Multiple config sections can be associated to the same profile.
-4. Right-click **Executable Rules** and then click **Automatically generate rules**.
+- A profile has no effect if it’s not associated to a config section.
- 
+ 
+
+You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic.
-5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
-6. Type a name to identify this set of rules, and then click **Next**.
+### Profile
-7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
+A profile section in the XML has the following entries:
-8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
+- [**Id**](#id)
-9. Read the message and click **Yes**.
+- [**AllowedApps**](#allowedapps)
- 
+- [**StartLayout**](#startlayout)
-10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
-
-11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
-
-12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
-
- ``` syntax
- sc config appidsvc start=auto
- ```
-
-13. Restart the device.
-
-## Other settings to lock down
+- [**Taskbar**](#taskbar)
-In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
+#### Id
-- Remove **All apps**.
+The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
- Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
+```xml
+
+ …
+
+```
-- Hide **Ease of access** feature on the logon screen.
+#### AllowedApps
- Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
-- Disable the hardware power button.
+Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
- Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+>[!NOTE]
+>You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid applying AppLocker rules to devices running the multi-app kiosk configuration.
-- Disable the camera.
+- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
+- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
- Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+Here are the predefined assigned access AppLocker rules for **UWP apps**:
-- Turn off app notifications on the lock screen.
+1. Default rule is to allow all users to launch the signed package apps.
+2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
- Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+ >[!NOTE]
+ >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
-- Disable removable media.
+Here are the predefined assigned access AppLocker rules for **desktop apps**:
- Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
+3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
- **Note**
- To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
-
+```xml
+
+
+
+
+
+
+
+
+
+
+
+```
-To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
+#### StartLayout
-## Customize Start screen layout for the device (recommended)
+After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
+
+The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
+
+A few things to note here:
+
+- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
+- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
+- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration.
+- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
+
+This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+```
+
+>[!NOTE]
+>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
-Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
+
+
+#### Taskbar
+
+Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
+
+The following example exposes the taskbar to the end user:
+
+```xml
+
+```
+
+The following example hides the taskbar:
+
+```xml
+
+```
+
+>[!NOTE]
+>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
+
+### Configs
+
+Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
+
+The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
-
-
+The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported.
+- Local account can be entered as `machinename\account` or `.\account` or just `account`.
+- Domain account should be entered as `domain\account`.
+- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**.
+
+>[!WARNING]
+>Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+
+
+Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
+
+>[!NOTE]
+>For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+
+
+```xml
+
+
+ MultiAppKioskUser
+
+
+
+```
+
+
+
+
+## Add XML file to provisioning package
+
+Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
+
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
+
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2. Choose **Advanced provisioning**.
+
+3. Name your project, and click **Next**.
+
+4. Choose **All Windows desktop editions** and click **Next**.
+
+5. On **New project**, click **Finish**. The workspace for your package opens.
+
+6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
+
+7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
+
+ 
+
+8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
+
+8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
+
+8. On the **File** menu, select **Save.**
+
+9. On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
+
+ Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+15. Copy the provisioning package to the root directory of a USB drive.
+
+
+## Apply provisioning package to device
+
+Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+1. Sign in with an admin account.
+2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+
+>[!NOTE]
+>if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
+
+
+
+
+
+### Validate provisioning
+
+- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration.
+- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
+
+
+
+## Use MDM to deploy the multi-app configuration
+
+
+Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
+
+If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
+
+The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
+
+
+
+## Use MDM Bridge WMI Provider to configure assigned access
+
+Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess.
+
+Here’s an example to set AssignedAccess configuration:
+
+1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).
+2. Run `psexec.exe -i -s cmd.exe`.
+3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
+4. Execute the following script:
+
+```ps
+$nameSpaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = @"
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+ <Profiles>
+ <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+ <AllAppsList>
+ <AllowedApps>
+ <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ <App DesktopAppPath="%windir%\system32\mspaint.exe" />
+ <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+ </AllowedApps>
+ </AllAppsList>
+ <StartLayout>
+ <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutOptions StartTileGroupCellWidth="6" />
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6">
+ <start:Group Name="Group1">
+ <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ </start:Group>
+ <start:Group Name="Group2">
+ <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
+ <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+ ]]>
+ </StartLayout>
+ <Taskbar ShowTaskbar="true"/>
+ </Profile>
+ </Profiles>
+ <Configs>
+ <Config>
+ <Account>MultiAppKioskUser</Account>
+ <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+ </Config>
+ </Configs>
+</AssignedAccessConfiguration>
+"@
+
+Set-CimInstance -CimInstance $obj
+```
+
+
+## Validate multi-app kiosk configuration
+
+Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
+
+>[!NOTE]
+>The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
+
+The following sections explain what to expect on a multi-app kiosk.
+
+### App launching and switching experience
+
+In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
+
+The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
+
+### Start changes
+
+When the assigned access user signs in, you should see a restricted Start experience:
+- Start gets launched in full screen and prevents the end user from accessing the desktop.
+- Start shows the layout aligned with what you defined in the multi-app configuration XML.
+- Start prevents the end user from changing the tile layout.
+ - The user cannot resize, reposition, and unpin the tiles.
+ - The user cannot pin additional tiles on the start.
+- Start hides **All Apps** list.
+- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
+- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).)
+- Start hides **Change account settings** option under **User** button.
+
+### Taskbar changes
+
+If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
+- Disables context menu of Start button (Quick Link)
+- Disables context menu of taskbar
+- Prevents the end user from changing the taskbar
+- Disables Cortana and Search Windows
+- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
+- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
+
+### Blocked hotkeys
+
+The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
+
+| Hotkey | Action |
+| --- | --- |
+| Windows logo key + A | Open Action center |
+| Windows logo key + Shift + C | Open Cortana in listening mode |
+| Windows logo key + D | Display and hide the desktop |
+| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
+| Windows logo key + E | Open File Explorer |
+| Windows logo key + F | Open Feedback Hub |
+| Windows logo key + G | Open Game bar when a game is open |
+| Windows logo key + I | Open Settings |
+| Windows logo key + J | Set focus to a Windows tip when one is available. |
+| Windows logo key + O | Lock device orientation |
+| Windows logo key + Q | Open search |
+| Windows logo key + R | Open the Run dialog box |
+| Windows logo key + S | Open search |
+| Windows logo key + X | Open the Quick Link menu |
+| Windows logo key + comma (,) | Temporarily peek at the desktop |
+| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
+
+
+
+### Locked-down Ctrl+Alt+Del screen
+
+The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
+
+### Auto-trigger touch keyboard
+
+In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior.
+
+## Considerations for Windows Mixed Reality immersive headsets
+
+
+With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
+
+To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
+
+```xml
+
+
+
+```
+
+These are in addition to any mixed reality apps that you allow.
+
+**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail.
+
+After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
+
+There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
+
+
+## Policies set by multi-app kiosk configuration
+
+It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
+
+When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
+
+
+### Group Policy
+
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.
+
+| Setting | Value |
+| --- | --- |
+Remove access to the context menus for the task bar | Enabled
+Clear history of recently opened documents on exit | Enabled
+Prevent users from customizing their Start Screen | Enabled
+Prevent users from uninstalling applications from Start | Enabled
+Remove All Programs list from the Start menu | Enabled
+Remove Run menu from Start Menu | Enabled
+Disable showing balloon notifications as toast | Enabled
+Do not allow pinning items in Jump Lists | Enabled
+Do not allow pinning programs to the Taskbar | Enabled
+Do not display or track items in Jump Lists from remote locations | Enabled
+Remove Notifications and Action Center | Enabled
+Lock all taskbar settings | Enabled
+Lock the Taskbar | Enabled
+Prevent users from adding or removing toolbars | Enabled
+Prevent users from resizing the taskbar | Enabled
+Remove frequent programs list from the Start Menu | Enabled
+Remove Pinned programs from the taskbar | Enabled
+Remove the Security and Maintenance icon | Enabled
+Turn off all balloon notifications | Enabled
+Turn off feature advertisement balloon notifications | Enabled
+Turn off toast notifications | Enabled
+Remove Task Manager | Enabled
+Remove Change Password option in Security Options UI | Enabled
+Remove Sign Out option in Security Options UI | Enabled
+Remove All Programs list from the Start Menu | Enabled – Remove and disable setting
+Prevent access to drives from My Computer | Enabled - Restrict all drivers**Note:** Users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+
+
+
+
+
+### MDM policy
+
+
+Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
+
+Setting | Value | System-wide
+ --- | --- | ---
+[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes
+[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes
+Start/HidePeopleBar | 1 - True (hide) | No
+[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
+[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
+[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
+[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes
+
+
+## Provision .lnk files using Windows Configuration Designer
+
+First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk`
+
+Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
+
+```
+msiexec /I ".msi" /qn /norestart
+copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\.lnk"
+```
+
+In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**:
+
+- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file
+- Under **CommandLine**, enter cmd /c *FileName*.bat
+
diff --git a/windows/configuration/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md
deleted file mode 100644
index 0bcecb6b1a..0000000000
--- a/windows/configuration/lock-down-windows-10.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: Lock down Windows 10 (Windows 10)
-description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
-ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
-keywords: lockdown
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security, mobile
-author: jdeckerms
-ms.localizationpriority: high
----
-
-# Lock down Windows 10
-
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 8b9ecee3ff..d2e0d0d76d 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -31,7 +31,7 @@ To help make it easier to deploy settings to restrict connections from Windows 1
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
## What's new in Windows 10, version 1703
diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md
new file mode 100644
index 0000000000..6885f2b2f7
--- /dev/null
+++ b/windows/configuration/multi-app-kiosk-troubleshoot.md
@@ -0,0 +1,49 @@
+---
+title: Troubleshoot multi-app kiosk (Windows 10)
+description: Tips for troubleshooting multi-app kiosk configuration.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: medium
+ms.date: 10/05/2017
+ms.author: jdecker
+---
+
+# Troubleshoot multi-app kiosk
+
+
+**Applies to**
+
+- Windows 10
+
+## Unexpected results
+
+For example:
+- Start is not launched in full-screen
+- Blocked hotkeys are allowed
+- Task Manager, Cortana, or Settings can be launched
+- Start layout has more apps than expected
+
+**Troubleshooting steps**
+
+1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning).
+2. Verify that the account (config) is mapped to a profile in the configuration XML file.
+3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
+
+
+## Apps configured in AllowedList are blocked
+
+1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile.
+2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
+
+
+## Start layout not as expected
+
+- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
+- Check if the apps included in the Start layout are installed for the assigned access user.
+- Check if the shortcut exists on the target device, if a desktop app is missing on Start.
+
diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md
new file mode 100644
index 0000000000..d355221ba5
--- /dev/null
+++ b/windows/configuration/multi-app-kiosk-xml.md
@@ -0,0 +1,175 @@
+---
+title: Multi-app kiosk XML reference (Windows 10)
+description: XML and XSD for multi-app kiosk device configuration.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: medium
+ms.date: 10/05/2017
+ms.author: jdecker
+---
+
+# Multi-app kiosk XML reference
+
+
+**Applies to**
+
+- Windows 10
+
+## Full XML sample
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
+```
+
+## XSD for AssignedAccess configuration XML
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index e818979df8..a2f8ee5eb5 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 10/05/2017
---
# Provision PCs with apps
@@ -21,6 +23,9 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
+>[!IMPORTANT]
+>If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Online Desktop Cilent, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
+
## Settings for UWP apps
- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app.
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index baa60ac6fd..82ce22b422 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -23,6 +23,9 @@ Provisioning packages can be applied to a device during the first-run experience
## Desktop editions
+>[!NOTE]
+>In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC.
+
### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 713a2b4b8d..9981feef89 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -103,7 +103,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=provisioning-install-icd.md).
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 99ceb249ab..3b5752aa75 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -21,7 +21,7 @@ ms.localizationpriority: high
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions.
-- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
+- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). In Windows 10, version 1709, you can use the [Provision kiosk devices wizard](#wizard) to configure a kiosk device running a Universal Windows app for Windows 10 Pro.
or
@@ -85,8 +85,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
-| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
-| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
+| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
@@ -432,6 +432,6 @@ For a more secure kiosk experience, we recommend that you make the following con
- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=set-up-a-kiosk-for-windows-10-for-desktop-editions.md).
diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
similarity index 97%
rename from windows/configuration/stop-employees-from-using-the-windows-store.md
rename to windows/configuration/stop-employees-from-using-microsoft-store.md
index 71e3551c63..40bd27f436 100644
--- a/windows/configuration/stop-employees-from-using-the-windows-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -114,7 +114,7 @@ If you're using Microsoft Store for Business and you want employees to only see
[Manage access to private store](/microsoft-store/manage-access-to-private-store)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=stop-employees-from-using-microsoft-store.md).
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
index af27cea5f0..3a1b160d46 100644
--- a/windows/configuration/wcd/wcd-applicationmanagement.md
+++ b/windows/configuration/wcd/wcd-applicationmanagement.md
@@ -7,13 +7,16 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# ApplicationManagement (Windows Configuration Designer reference)
Use these settings to manage app installation and management.
+>[!NOTE]
+>ApplicationManagement settings are not available in Windows 10, version 1709.
+
## Applies to
| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 201fc633e1..9c310df802 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# AssignedAccess (Windows Configuration Designer reference)
@@ -19,6 +19,7 @@ Use this setting to configure single use (kiosk) devices.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | |
+| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | | |
## AssignedAccessSettings
@@ -30,6 +31,18 @@ Enter the account and the application you want to use for Assigned access, using
```
"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
```
+
+## MultiAppAssignedAccessSettings
+
+>[!NOTE]
+>MultiAppAssignedAccessSettings is supported on Windows 10, version 1709 only.
+
+Use this setting to configure a kiosk device that runs more than one app.
+
+1. [Create an assigned access configuration XML file for multiple apps.](../lock-down-windows-10-to-specific-apps.md)
+2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
+3. Browse to and select the assigned access configuration XML file.
+
## Related topics
- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
index f3905fe8bc..0ccf7992cb 100644
--- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md
+++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
@@ -7,13 +7,16 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# CallAndMessagingEnhancement (Windows Configuration Designer reference)
Use to configure call origin and blocking apps.
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
new file mode 100644
index 0000000000..0b1d46a821
--- /dev/null
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -0,0 +1,146 @@
+---
+title: Calling (Windows 10)
+description: This section describes the Calling settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# Calling (Windows Configuration Designer reference)
+
+Use to configure settings for Calling.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
+## Branding
+
+See [Branding for phone calls](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
+
+## PartnerAppSupport
+
+See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
+
+## PerSimSettings
+
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click Add, and then configure the folowing settings.
+
+### Critical
+
+Setting | Description
+--- | ---
+MOSimFallbackVoicemailNumber | Partners who do not have the voicemail numbers on the device SIM can configure the voicemail number for their devices. If the voicemail number is not on the SIM and the registry key is not set, the default voicemail will not be set and the user will need to set the number. Set MOSimFallbackVoicemailNumber to the voicemail number that you want to use for the phone.
+SimOverrideVoicemailNumber | Mobile operators can override the voicemail number on the UICC with a different voicemail number that is configured in the registry. Set SimOverrideVoicemailNumber to a string that contains the digits of the voicemail number to use instead of the voicemail number on the UICC.
+
+
+### General
+
+Setting | Description
+--- | ---
+AllowVideoConferencing | Set as **True** to enable the ability to conference video calls.
+DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**.
+DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting.
+IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications.
+IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions.
+ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query.
+ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID.
+ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen.
+SupressVideoCallingChargesDialog | Configure the phone settings CPL to supress the video calling charges dialog.
+UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values.
+WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed.
+
+
+
+## PhoneSettings
+
+Setting | Description
+--- | ---
+AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers.
+CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID.
+ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key.
+DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog.
+HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled.
+ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead.
+UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**.
+VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters.
+
+
+## SupplementaryServiceCodeOverrides
+
+See [Dialer codes for supplementary services](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
+
+## VoicemailRegistrationTable
+
+Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/visual-voicemail).
+
+
+## List of USSD codes
+
+
+Codes | Description | DWORD Value
+--- | --- | ---
+04 | CHANGEPIN | 000000F4
+042 | CHANGEPIN2 | 00000F42
+05 | UNBLOCKPIN | 000000F5
+052 | UNBLOCKPIN2 | 00000F52
+03 | SSCHANGEPASSWORD | 000000F3
+75 | EMLPPBASE | 00000075
+750 | EMLPPLEVEL0 | 00000750
+751 | EMLPPLEVEL1 | 00000751
+752 | EMLPPLEVEL2 | 00000752
+753 | EMLPPLEVEL3 | 00000753
+754 | EMLPPLEVEL4 | 00000754
+66 | CALLDEFLECT | 00000066
+30 | CALLIDCLIP | 00000030
+31 | CALLIDCLIR | 00000031
+76 | CALLIDCOLP | 00000076
+77 | CALLIDCOLR | 00000077
+21 | FWDUNCONDITIONAL | 00000021
+67 | FWDBUSY | 00000067
+61 | FWDNOREPLY | 00000061
+62 | FWDNOTREACHABLE | 00000062
+002 | FWDALL | 00000FF2
+004 | FWDALLCONDITIONAL | 00000FF4
+43 | CALLWAITING | 00000043
+360 | UUSALL | 00000360
+361 | UUSSERVICE1 | 00000361
+362 | UUSSERVICE2 | 00000362
+363 | UUSSERVICE3 | 00000363
+33 | BARROUT | 00000033
+331 | BARROUTINTL | 00000331
+332 | BARROUTINTLEXTOHOME | 00000332
+35 | BARRIN | 00000035
+351 | BARRINROAM | 00000351
+330 | BARRALL | 00000330
+333 | BARRALLOUT | 00000333
+353 | BARRALLIN | 00000353
+354 | BARRINCOMINGINTERMEDIATE | 00000354
+96 | CALLTRANSFER | 00000096
+37 | CALLCOMPLETEBUSY | 00000037
+070 | PNP0 | 00000F70
+071 | PNP1 | 00000F71
+072 | PNP2 | 00000F72
+073 | PNP3 | 00000F73
+074 | PNP4 | 00000F74
+075 | PNP5 | 00000F75
+076 | PNP6 | 00000F76
+077 | PNP7 | 00000F77
+078 | PNP8 | 00000F78
+079 | PNP9 | 00000F79
+300 | CALLCNAP | 00000300
+591 | MSP1 | 00000591
+592 | MSP2 | 00000592
+593 | MSP3 | 00000593
+594 | MSP4 | 00000594
+
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
new file mode 100644
index 0000000000..57347d1878
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -0,0 +1,436 @@
+---
+title: CellCore (Windows 10)
+description: This section describes the CellCore settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# CellCore (Windows Configuration Designer reference)
+
+Use to configure settings for cellular data.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+ Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core
+ --- | :---: | :---: | :---: | :---: | :---:
+ PerDevice: [CellConfigurations](#cellconfigurations) | | X | | |
+ PerDevice: [CellData](#celldata) CellularFailover | X | X | | |
+ PerDevice: [CellData](#celldata) MaxNumberOfPDPContexts | | X | | |
+ PerDevice: [CellData](#celldata) ModemProfiles | | X | | |
+ PerDevice: [CellData](#celldata) PersistAtImaging | | X | | |
+ PerDevice: [CellUX](#cellux) | | X | | |
+ PerDevice: [CGDual](#cgdual) | | X | | |
+ PerDevice: [eSim](#esim) | X | X | | |
+ PerDevice: [External](#external) | | X | | |
+ PerDevice: [General](#general) | | X | | |
+ PerDevice: [RCS](#rcs) | | X | | |
+ PerDevice: [SMS](#sms) | X | X | | |
+ PerDevice: [UIX](#uix) | | X | | |
+ PerDevice: [UTK](#utk) | | X | | |
+ PerlMSI: [CellData](#celldata2) | | X | | |
+ PerIMSI: [CellUX](#cellux2) | | X | | |
+ PerIMSI: [General](#general2) | | X | | |
+ PerIMSI: [RCS](#rcs2) | | X | | |
+ PerIMSI: [SMS](#sms2) | X | X | | |
+ PerIMSI: [UTK](#utk2) | | X | | |
+ PerIMSI: [VoLTE](#volte) | | X | | |
+
+
+## PerDevice
+
+### CellConfigurations
+
+
+
+1. In **CellConfiguration** > **PropertyGroups**, enter a name for the property group.
+2. Select the **PropertyGroups** you just created in the **Available customizations** pane and then enter a **PropertyName**.
+3. Select the **PropertyName** you just created in the **Available customizations** pane, and then select one of the following data types for the property:
+ - Binary
+ - Boolean
+ - Integer
+ - String
+4. The data type that you selected is added in **Available customizations**. Select it to enter a value for the property.
+
+### CellData
+
+Setting | Description
+--- | ---
+CellularFailover | Allow or disallow cellular data failover when in limited Wi-Fi connectivity. By default, if the phone is connected to a Wi-Fi network and the data connection to a site is unsuccessful due to limited Wi-Fi connectivity, the phone will complete the connection to the site using available cellular data networks (when possible) to provide an optimal user experience. When the customization is enabled, a user option to use or not use cellular data for limited Wi-Fi connectivity becomes visible in the **Settings** > **cellular+SIM** screen. This option is automatically set to **don’t use cellular data** when the customization is enabled.
+MaxNumberOfPDPContexts | Set a maximum value (1 through 4, inclusive, or 0x1 through 0x4 hexadecimal) for the number of simultaneous packet data protocol (PDP) contexts for 3GPP connections. By default, the OS enforces a maximum of four (4) simultaneous packet data protocol (PDP) contexts for 3GPP connections, and one (1) PDP context for 3GPP2 connections. You can set a different maximum value if required by their mobile operator. The same maximums apply for both roaming and non-roaming scenarios. This maximum does not include packet contexts used internally by the modem.
+ModemProfiles > LTEAttachGuids | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+PersistAtImaging > DisableAoAc | Enable or disable Always-on/Always-connected (AoAc) on the WWAN adapter.
+
+
+### CellUX
+
+Setting | Description
+--- | ---
+APNAuthTypeDefault | Select between **Pap** and **Chap** for default APN authentication type.
+APNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default APN IP type.
+Critical > ShowVoLTEToggle | Select **Yes** to show the VoLTE toggle in the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to hide the toggle.
+Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G.
+Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G.
+GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs.
+Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option.
+Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**.
+Hide3GPPNetworks | For 3GPP or GSM phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM settings** screen. Select **No** to show **Network Type**.
+HideAPN | Select **Yes** to hide the **add internet APN** button in the **SIM settings** screen. Select **No** to show **add internet APN**.
+HideAPNAuthType | Select **Yes** to hide the APN authentication selector. Select **No** to show the APN authentication selector.
+HideAPNIPType | Select **Yes** to hide the **IP type** list in the **internet APN** settings screen. Select **No** to show **IP type**.
+HideDisabled2GNotice | Select **Yes** to hide the notification for disabled 2G. Select **No** to show the notification for disabled 2G.
+HideHighestSpeed | Select **Yes** to hide the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show **Highest connection speed**.
+HideHighestSpeed2G | Select **Yes** to hide the 2G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 2G option.
+HideHighestSpeed3GOnly | Select **Yes** to hide the 3G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 3G option.
+HideHighestSpeed4G | Select **Yes** to hide the 4G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G option.
+HideHighestSpeed4G3GOnly | Select **Yes** to hide the 4G or 3G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G or 3G Only option.
+HideHighestSpeed4GOnly | Select **Yes** to hide the 4G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G Only option.
+HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **LTE attach APN** button.
+HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button.
+HideMMSAPNAuthType | Select **Yes** to hide the APN authentication type selector on the MMS APN page. Select **No** to show APN authentication selector.
+HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector.
+HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**.
+HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI.
+HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GPreferred | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Preferred" to another character code, change the value of HighestSpeed3GPreferred. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G | You can customize the listed names of the connection speeds with their own character codes. To modify "4G" to another character code, change the value of HighestSpeed4G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G or 3G Only" to another character code, change the value of HighestSpeed4G3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G Only" to another character code, change the value of HighestSpeed4GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeedTitle | You can customize the **Highest connection speed** drop-down label in the **Settings** > **Cellular+SIM** > **SIM** settings page. To change the Highest connection speed drop-down label, set HighestSpeedTitle to another string. For example, you can set this to "Preferred connection speed".
+IsATTSpecific | Control the roaming text for AT&T devices. AT&T requires the phone to show a particular roaming text to meet their legal and marketing guidelines. By default, if the user chooses **roam** under **Data roaming options** in the **Settings** > **Cellular+SIM** screen, they will see the following text: *Depending on your service agreement, you might pay more when using data roaming.* If you set IsATTSpecific to **Yes**, the following roaming text will be displayed instead: *International data roaming charges apply for data usage outside the United States, Puerto Rico, and United States Virgin Islands. Don’t allow roaming to avoid international data roaming charges.*
+LTEAttachGUID | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+MMSAPNAuthTypeDefault | Select between **Pap** and **Chap** for default MMS APN authentication type.
+MMSAPNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default MMS APN IP type.
+ShowExtendedRejectCodes | When a reject code is sent by the network, partners can specify that extended error messages should be displayed instead of the standard simple error messages. This customization is only intended for use when required by the mobile operator’s network. The short versions of the extended reject message are shown in the following screens:- Phone tile in Start- Call History screen- Dialer- Call Progress screen- Incoming Call screen- As the status string under Settings > cellular+SIMThe long version of the extended reject message is shown under the Active Network label in **Settings** > **cellular+SIM**. Select **Yes** to show the extended error message. Select **No** to hide the extended error message. See [Error messages for reject codes](#errorreject) to see the versions of the message.
+ShowHighestSpeed3GPreferred | Select **Yes** to show the **3G Preferred** option in the **Highest connection speed** drop-down menu. Select **No** to hide **3G Preferred**.
+ShowManualAvoidance | Select **Yes** to show the **Switch to next network manually** button in SIM settings when Mode Selection is CDMA on a C+G dual SIM phone. Select **No** to hide the **Switch to next network manually** button
+ShowPreferredPLMNPage | Select **Yes** to show the preferred public land mobile network (PLMN) page in SIM settings.
+ShowSpecificWifiCallingError | Select **Yes** to show a specific error message based on operator requirements.
+ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**.
+ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning.
+ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
+SuppressDePersoUI | Select **Yes** to hide the perso unlock UI.
+
+
+### CGDual
+
+Use **CGDual** > **RestrictToGlobalMode** to configure settings for global mode on C+G Dual SIM phones. When the device registration changes, if the value for this setting is set, the OS changes the preferred system type to the default preferred system type for world mode. If the phone is not camped on any network, the OS assumes the phone is on the home network and changes the network registration preference to default mode.
+
+Select from the following:
+
+- RestrictToGlobalMode_Disabled: the phone is not restricted to global mode.
+- RestrictToGlobalMobe_Home: when a slot is registered at home and supports global mode, the mode selection is restricted to global mode.
+- RestrictToGlobalMode_Always: if a slot supports global mode and this value is selected, the mode selection is restricted to global mode.
+
+### eSim
+
+Configure **FwUpdate** > **AllowedAppIdList** to whitelist apps that are allowed to update the firmware. Obtain the app IDs from the card vendor.
+
+### External
+
+Setting | Description
+--- | ---
+CallSupplementaryService > OTASPNonStandardDialString | Enter a list of all desired non-standard OTASP dial strings.
+CarrierSpecific > FallBackMode | Select between **GWCSFB** and **1xCSFB** for fallback mode.
+CarrierSpecific > VZW > ActSeq | Enables activation for 4G VZW card. Do not configure this setting for non-VZW devices.
+EnableLTESnrReporting | Select between **Use only RSRP** and **Use both RSRP and ECNO** to check if SNR needs to be used for LTE Signal Quality calculations.
+EnableUMTSEcnoReporting | Select between **Use only RSSI** and **Use both RSSI and SNR** to check if SNR needs to be used for UMTS Signal Quality calculations.
+ImageOnly > ERI > AlgorithmMBB0 | Select between **Sprint** and **Verizon** to specify the ERI algorithm in MBB for subscription 0.
+ImageOnly > ERI > AlgorithmMBB1 | Select between **Sprint** and **Verizon** to specify the ERI algorithm in MBB for subscription 1.
+ImageOnly > ERI > AlgorithmWmRil | Select between **Sprint** and **Verizon** to specify the ERI-based notification algorithm.
+ImageOnly > ERI > DataFileNameWmRil | Specify the location of the ERI file on the device; for example, `C:\Windows\System32\SPCS_en.eri`. *SPCS_en.eri* is a placeholder. Obtain the ERI file name from the mobile operator and replace this filename with it.
+ImageOnly > ERI > EnabledWmRil | Enable or disable ERI-based notifications.
+ImageOnly > ERI > ERIDataFileNameMBB0 | Specify the ERI data file name with international roaming list for Verizon in MBB for subscription 0.
+ImageOnly > ERI > ERIDataFileNameMBB1 | Specify the ERI data file name with international roaming list for Verizon in MBB for subscription 1.
+ImageOnly > ERI > ERISprintIntlRoamDataFileNameMBB0 | Specify the ERI data file name with international roaming list for Sprint in MBB for subscription 0.
+ImageOnly > ERI > ERISprintIntlRoamDataFileNameMBB1 | Specify the ERI data file name with international roaming list for Sprint in MBB for subscription 1.
+ImageOnly > ERI > SprintInternationalERIValuesWmRil | Specify the international ERI values for Sprint as `to 4A,7C,7D,7E,9D,9E,9F,C1,C2,C3,C4,C5,C6,E4,E5,E6,E7,E8.`.
+ImageOnly > MTU > DormancyTimeout0 | Enter the number of milliseconds to wait after dormancy hint before telling the modem to make the air interface dormant for subscription 0. Minimum value is 1703, and maximum value is 5000.
+ImageOnly > MTU > DormancyTimeout1 | Enter the number of milliseconds to wait after dormancy hint before telling the modem to make the air interface dormant for subscription 1. Minimum value is 1703, and maximum value is 5000.
+ImageOnly > MTU > MTUDataSize | Customize the TCP maximum segment size (MSS) by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
+ImageOnly > MTU > RoamingMTUDataSize | Customize the TCP maximum segment size (MSS) for roaming by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it for roaming by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
+ImageOnly > SuppressNwPSDetach | Configure whether to suppress reporting of network-initiated PS detach (appear attached to OS) until deregistered.
+SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter. For details, see [Custom percentages for signal strength bars](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/custom-percentages-for-signal-strength-bars).
+SRVCCAutoToggleWmRil | Configure whether to link SRVCC to VOLTE on/off.
+
+
+
+### General
+
+Setting | Description
+--- | ---
+atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:- **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
+atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:- **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator. - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator.
+AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network.
+CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk, to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk, to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone.
+DefaultSlotAffinity | Set the data connection preference for:- **SlotAffinityForInternetData_Automatic**: data connection preference is automatically set- **SlotAffinityForInternetData_Slot0**: sets the data connection preference to Slot 0. The data connection cannot be edited by the user.- **SlotAffinityForInternetData_Slot1**: Sets the data connection preference to Slot 1. The data connection cannot be edited by the user.
+DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming.
+DisableSystemTypeSupport | Enter the system types to be removed.
+DTMFOffTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), of the pause between DTMF digits. For example, a value of 120 specifies 0.12 seconds.
+DTMFOnTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), to generate the DTMF tone when a key is pressed. For example, a value of 120 specifies 0.12 seconds.
+ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
+ExcludedSystemTypesPerOperator | Exclude specified system types from SIM cards that match the MCC:MNC pairs listed in **OperatorListForExcludedSystemTypes**. This setting is used only for China. Set the value to match the system type to be excluded. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx). For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, the ExcludedSystemTypesPerOperator value must be set to 0x18 to limit the matching MCC:MNC pairs to 2G.
+LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
+LTEForced | Select **Yes** to force LTE.
+ManualNetworkSelectionTimeout | Set the default network selection timeout value, in a range of 1-600 seconds. By default, the OS allows the phone to attempt registration on the manually selected network for 60 seconds (or 1 minute) before it switches back to automatic mode. This value is the amount of time that the OS will wait for the modem to register on the manually selected network. If the time lapses and the modem was not able to register on the network that was manually selected by the user, the OS will either switch back to the automatic network selection mode if Permanent automatic mode is enabled, and the user has manually selected a network or the modem was turned on, or display a dialog that notifies the user that the phone was unable to connect to the manually selected network after the phone was turned on or after airplane mode was turned off.
+NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:- system type 4: 2G (GSM)- system type 8: 3G (UMTS)- system type 16: LTE- system type 32: 3G (TS-SCDMA)Select the system type that you added, and enter the network name and suffix that you want displayed.
+NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`.
+OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030.
+OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
+PreferredDataProviderList | OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator. For mobile operators that require it, OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator so that it can be set as the default data line for phones that have a dual SIM. When the PO SIM is inserted into the phone, the OS picks the PO SIM as the data line and shows a notification to the user that the SIM has been selected for Internet data. If two PO SIMs are inserted, the OS will choose the first PO SIM that was detected as the default data line and the mobile operator action required dialogue (ARD) is shown. If two non-PO SIMs are inserted, the user is prompted to choose the SIM to use as the default data line. Note OEMs should not set this customization unless required by the mobile operator. To enumerate the MCC/MNC value pairs to use for data connections, set the value for **PreferredDataProviderList**. The value must be a comma-separated list of preferred MCC:MNC values. For example, the value can be 301:026,310:030 and so on.
+Slot2DisableAppsList | Disable specified apps from slot 2 on a C+G dual SIM phone. To disable a list of specified apps from Slot 2, set Slot2DisableAppsList to a comma-separated list of values representing the apps. For example, `4,6`.
+Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 2. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 2. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx).
+SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
+SuggestGlobalModeARD | Define whether Global Mode is suggested on a C+G dual SIM phone.
+SuggestGlobalModeTimeout | To specify the number of seconds to wait for network registration before suggesting global mode, set SuggestGlobalModeTimeout to a value between 1 and 600, inclusive. For example, to set the timeout to 60 seconds, set the value to 60 (decimal) or 0x3C (hexadecimal).
+
+### RCS
+
+Setting | Description
+--- | ---
+SystemEnabled | Select **Yes** to specify that the system is RCS-enabled.
+UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the device.
+
+### SMS
+
+Setting | Description
+--- | ---
+AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.
+DefaultMCC | Set the default mobile country code (MCC).
+Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)
+Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).
+Encodings > OctetEncodingPage | Set the octet (binary) encoding.
+Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding.
+Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.
+Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language).
+IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation.
+MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds.
+SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message.
+SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message.
+SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message.
+Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**.
+Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH.
+Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type.
+
+### UIX
+
+Setting | Description
+--- | ---
+SIM1ToUIM1 | Used to show UIM1 as an alternate string instead of SIM1 for the first SIM on C+G dual SIM phones.
+SIMToSIMUIM | Partners can change the string "SIM" to "SIM/UIM" to accommodate scenarios such as Dual Mode cards of SIM cards on the phone. This can provide a better user experience for users in some markets. Enabling this customization changes all "SIM" strings to "SIM/UIM".
+
+
+
+### UTK
+
+Setting | Description
+--- | ---
+UIDefaultDuration | Specifies the default time, in milliseconds, that the DISPLAY TEXT, GET INKEY, PLAY TONE, or SELECT ITEM dialog should be displayed. The default value is 60000 milliseconds (60 seconds). The valid value range is 1-120000.
+UIGetInputDuration | Specifies the default time, in milliseconds, that the GET INPUT dialog should be displayed. The default value is 120000 milliseconds (120 seconds). The valid value range is 1-120000.
+
+
+
+
+## PerlMSI
+
+Enter an IMSI, click **Add**, and then select the IMSI that you added to configure the following settings.
+
+
+### CellData
+
+Setting | Description
+--- | ---
+MaxNumberOfPDPContexts | OEMs can set a maximum value for the number of simultaneous packet data protocol (PDP) contexts for 3GPP connections. By default, the OS enforces a maximum of four (4) simultaneous packet data protocol (PDP) contexts for 3GPP connections, and one (1) PDP context for 3GPP2 connections. OEMs can set a different maximum value if required by their mobile operator. The same maximums apply for both roaming and non-roaming scenarios. This maximum does not include packet contexts used internally by the modem.
+
+
+
+### CellUX
+
+Setting | Description
+--- | ---
+APNIPTypeIfHidden | Used to set the default IP type shown in the **IP type** listbox on the **internet APN** settings screen.
+Critical > ShowVoLTERoaming | Use to show the IMS roaming control in the cellular settings page
+Critical > ShowVoLTEToggle | Show or hide VoLTE toggle.
+Critical > SwitchIMS | Switch IMS on or off with a toggle. OEMs can configure the default settings and toggle for IMS services to meet mobile operator requirements. Users can later manually change the default values for these settings if they choose to do so.
+Critical > SwitchSMSOverIMS | Switch SMS over IMS on or off when VoLTE is toggled.
+Critical > SwitchVideoOverIMS | Use to switch video over IMS when VoLTE is switched.
+Critical > SwitchVoiceOverIMS | Switch voice over IMS when VoLTE is toggled.
+Critical > SwitchXCAP | Use to switch the XML Configuration Access Protocol (XCAP) when VoLTE is enabled.
+Critical > VoLTERoamingOffDescription | Use to customize the description string that appears under IMS roaming control when IMS roaming is turned off. The string must not be longer than 127 characters.
+Critical > VoLTERoamingOnDescription | Use to customize the description string that appears under IMS roaming control when IMS roaming is turned on. The string must not be longer than 127 characters.
+Critical > VoLTERoamingSettingDisableDuringCall | Use to specify whether to grey out VoLTE roaming settings during an active VoLTE call.
+Critical > VoLTERoamingTitle | Use to customize the description string for the IMS roaming control. The string must not be longer than 127 characters.
+Critical > VoLTESectionTitle | Use to customize the section title for the IMS settings. he string must not be longer than 127 characters.
+Critical > VoLTESettingDisableDuringCall | Use to specify whether to grey out VoLTE-related settings during an active VoLTE call.
+Critical > VoLTEToggleDescription | Use to customize the VoLTE toggle description. To customize the VoLTE toggle description, set VoLTEToggleDescription to the name of the resource-only .dll file, specifying the string offset. For example: @DisplayStrings.dll,-101.
+Critical > VoLTEToggleSettingDisableDuringCall | Use to specify whether to grey out the VoLTE toggle during an active VoLTE call.
+Critical > VoLTEToggleTitle | Use to customize the VoLTE toggle label. To customize the VoLTE toggle label, set VoLTEToggleTitle to the name of the resource-only .dll file, specifying the string offset. For example: @DisplayStrings.dll,-102.
+Critical > WFCSettingDisableDuringCall | Use to specify whether to grey out the Wi-Fi calling settings during an active VoLTE call.
+Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G.
+Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G.
+GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs.
+Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option.
+Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**.
+Hide3GPPNetworks | For 3GPP or GSM phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM settings** screen. Select **No** to show **Network Type**.
+HideAPN | Select **Yes** to hide the **add internet APN** button in the **SIM settings** screen. Select **No** to show **add internet APN**.
+HideAPNIPType | Select **Yes** to hide the **IP type** list in the **internet APN** settings screen. Select **No** to show **IP type**.
+HideDisabled2GNotice | Select **Yes** to hide the notification for disabled 2G. Select **No** to show the notification for disabled 2G.
+HideHighestSpeed | Select **Yes** to hide the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show **Highest connection speed**.
+HideHighestSpeed2G | Select **Yes** to hide the 2G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 2G option.
+HideHighestSpeed3GOnly | Select **Yes** to hide the 3G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 3G option.
+HideHighestSpeed4G | Select **Yes** to hide the 4G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G option.
+HideHighestSpeed4G3GOnly | Select **Yes** to hide the 4G or 3G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G or 3G Only option.
+HideHighestSpeed4GOnly | Select **Yes** to hide the 4G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G Only option.
+HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **LTE attach APN** button.
+HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button.
+HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector.
+HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**.
+HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI.
+HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GPreferred | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Preferred" to another character code, change the value of HighestSpeed3GPreferred. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G | You can customize the listed names of the connection speeds with their own character codes. To modify "4G" to another character code, change the value of HighestSpeed4G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G or 3G Only" to another character code, change the value of HighestSpeed4G3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G Only" to another character code, change the value of HighestSpeed4GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeedTitle | You can customize the **Highest connection speed** drop-down label in the **Settings** > **Cellular+SIM** > **SIM** settings page. To change the Highest connection speed drop-down label, set HighestSpeedTitle to another string. For example, you can set this to "Preferred connection speed".
+IsATTSpecific | Control the roaming text for AT&T devices. AT&T requires the phone to show a particular roaming text to meet their legal and marketing guidelines. By default, if the user chooses **roam** under **Data roaming options** in the **Settings** > **Cellular+SIM** screen, they will see the following text: *Depending on your service agreement, you might pay more when using data roaming.* If you set IsATTSpecific to **Yes**, the following roaming text will be displayed instead: *International data roaming charges apply for data usage outside the United States, Puerto Rico, and United States Virgin Islands. Don’t allow roaming to avoid international data roaming charges.*
+LTEAttachGUID | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+MMSAPNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default MMS APN IP type.
+ShowExtendedRejectCodes | When a reject code is sent by the network, partners can specify that extended error messages should be displayed instead of the standard simple error messages. This customization is only intended for use when required by the mobile operator’s network. The short versions of the extended reject message are shown in the following screens:- Phone tile in Start- Call History screen- Dialer- Call Progress screen- Incoming Call screen- As the status string under Settings > cellular+SIMThe long version of the extended reject message is shown under the Active Network label in **Settings** > **cellular+SIM**. Select **Yes** to show the extended error message. Select **No** to hide the extended error message. See [Error messages for reject codes](#errorreject) to see the versions of the message.
+ShowHighestSpeed3GPreferred | Select **Yes** to show the **3G Preferred** option in the **Highest connection speed** drop-down menu. Select **No** to hide **3G Preferred**.
+ShowManualAvoidance | Select **Yes** to show the **Switch to next network manually** button in SIM settings when Mode Selection is CDMA on a C+G dual SIM phone. Select **No** to hide the **Switch to next network manually** button
+ShowPreferredPLMNPage | Select **Yes** to show the preferred public land mobile network (PLMN) page in SIM settings.
+ShowSpecificWifiCallingError | Select **Yes** to show a specific error message based on operator requirements.
+ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**.
+ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning.
+ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
+
+
+
+
+
+### General
+
+Setting | Description
+--- | ---
+atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:- **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
+atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:- **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator. - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator.
+AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network.
+CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone.
+Critical > MultivariantProvisionedSPN | Used to change the default friendly SIM names in dual SIM phones. By default, the OS displays SIM 1 or SIM 2 as the default friendly name for the SIM in slot 1 or slot 2 if the service provider name (SPN) or mobile operator name has not been set. Partners can use this setting to change the default name read from the SIM to define the SPN for SIM cards that do not contain this information or to generate the default friendly name for the SIM. The OS uses the default value as the display name for the SIM or SPN in the Start screen and other parts of the UI including the SIM settings screen. For dual SIM phones that contain SIMs from the same mobile operator, the names that appear in the UI may be similar. See [Values for MultivariantProvisionedSPN](#spn).
+Critical > SimNameWithoutMSISDNENabled | Use this setting to remove the trailing MSISDN digits from the service provider name (SPN) in the phone UI. By default, the OS appends the trailing MSISDN digits to the service provider name (SPN) in the phone UI, including on the phone and messaging apps. If required by mobile operators, OEMs can use the SimNameWithoutMSISDNEnabled setting to remove the trailing MSISDN digits. However, you must use this setting together with **MultivariantProvisionedSPN** to suppress the MSISDN digits.
+DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming.
+ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
+LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
+LTEForced | Select **Yes** to force LTE.
+NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:- system type 4: 2G (GSM)- system type 8: 3G (UMTS)- system type 16: LTE- system type 32: 3G (TS-SCDMA)Select the system type that you added, and enter the network name and suffix that you want displayed.
+NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`.
+OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030.
+OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
+SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
+
+
+
+
+
+
+
+### RCS
+
+See descriptions in Windows Configuration Designer.
+
+
+
+
+### SMS
+
+Setting | Description
+--- | ---
+AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.
+DefaultMCC | Set the default mobile country code (MCC).
+Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)
+Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).
+Encodings > OctetEncodingPage | Set the octet (binary) encoding.
+Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding.
+Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.
+Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language).
+IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation.
+MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds.
+SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message.
+SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message.
+SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message.
+Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**.
+Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH.
+Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type.
+
+
+
+### UTK
+
+Setting | Description
+--- | ---
+UIDefaultDuration | Specifies the default time, in milliseconds, that the DISPLAY TEXT, GET INKEY, PLAY TONE, or SELECT ITEM dialog should be displayed. The default value is 60000 milliseconds (60 seconds). The valid value range is 1-120000.
+UIGetInputDuration | Specifies the default time, in milliseconds, that the GET INPUT dialog should be displayed. The default value is 120000 milliseconds (120 seconds). The valid value range is 1-120000.
+
+
+### VoLTE
+
+Setting | Description
+--- | ---
+IMSOMADMServices | Allows configuration of OMA DM Services Mask. The value is mapped directly to RIL_IMS_NW_ENABLED_FLAGS on the modem side. To configure the OMA DM services mask, set the IMSOMADMServices setting to one of the following values:- None, Flag: 0, Bitmask: 00000- OMA DM, Flag: 1, Bitmask: 00001- Voice, Flag: 2, Bitmask: 00010- Video, Flag: 4, Bitmask: 00100- EAB presence, Flag: 8, Bitmask: 01000- Enable all services, Flag: 15, Bitmask: 10000
+IMSServices | Identifies which IMS services are enabled (if any). The value is any combination of flags 1 (IMS), 2 (SMS over IMS), 4 (Voice over IMS) and 8 (Video Over IMS). Set the value for the IMSServices setting to any combination of the following flags or bitmasks:- IMS, Flag: 1, Bitmask: 0001- SMS over IMS, Flag: 2, Bitmask: 0010- Voice over IMS, Flag: 4, Bitmask: 0100Video over IMS, Flag: 8, Bitmask: 1000
+
+
+
+## Error messages for reject codes
+
+
+Reject code | Extended error message | Short error message
+--- | --- | ---
+2 (The SIM card hasn't been activated or has been deactivated) | SIM not set up MM#2 | Invalid SIM
+3 (The SIM card fails authentication or one of the identity check procedures. This can also happen due to a duplication of the TMSI across different MSCs.) | Can't verify SIM MM#3 | Invalid SIM
+6 (The device has been put on a block list, such as when the phone has been stolen or the IMEI is restricted.) | Phone not allowed MM#6 | No service
+
+
+## Values for MultivariantProvisionedSPN
+
+Set the MultivariantProvisionedSPN value to the name of the SPN or mobile operator.
+
+The following table shows the scenarios supported by this customization:
+
+>[!NOTE]
+>In the Default SIM name column:
+>
+>- The " " in MultivariantProvisionedSPN" "1234 means that there is a space between the mobile operator name or SPN and the last 4 digits of the MSISDN.
+>- MultivariantProvisionedSPN means the value that you set for the MultivariantProvisionedSPN setting.
+>- SIM 1 or SIM 2 is the default friendly name for the SIM in slot 1 or slot 2.
+
+
+Multivariant setting set?|SPN provisioned?|MSISDN (last 4 digits: 1234, for example) provisioned?|Default SIM name
+Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
+Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters)
+Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters)
+Yes|No|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
+No|Yes|Yes|If SPN string >= 12: *SPN*1234If SPN string < 12: *SPN*" "1234
+No|No|No|*SIM 1* or *SIM 2*
+No|Yes|No|SPN (up to 16 characters)
+No|No|Yes|*SIM 1* or *SIM 2*
+
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 7ea42d279d..15ff4cbc51 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -7,21 +7,22 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Cellular (Windows Configuration Designer reference)
Use to configure settings for cellular connections.
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [AccountExperienceURL](#accountexperienceurl) | X | | | | |
-| [AppID](#appid) | X | | | | |
-| [NetworkBlockList](#networkblocklist) | X | | | | |
-| [SIMBlockList](#simblocklist) | X | | | | |
+| All settings | X | | | | |
+
To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it.
@@ -34,10 +35,27 @@ Enter the URL for the mobile operator's web page.
Enter the AppID for the mobile operator's app in Microsoft Store.
+## BrandingIcon
+
+Browse to and select an .ico file.
+
+## BrandingIconPath
+
+Enter the destination path for the BrandingIcon .ico file.
+
+## BrandingName
+
+Enter the service provider name for the mobile operator.
+
## NetworkBlockList
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
## SIMBlockList
-Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
\ No newline at end of file
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
+
+
+## UseBrandingNameOnRoaming
+
+Select an option for displaying the BrandingName when the device is roaming.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 98fdd61592..a996e19cfc 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Connections (Windows Configuration Designer reference)
@@ -18,10 +18,8 @@ Use to configure settings related to various types of phone connections.
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [Cellular](#cellular) | X | X | X | X | |
-| [EnterpriseAPN](#enterpriseapn) | X | X | X | X | |
-| [Policies](#policies) | X | X | X | X | |
-| [Proxies](#proxies) | X | X | X | X | |
+| All settings | X | X | X | X | |
+
For each setting group:
1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**.
@@ -36,6 +34,10 @@ See [CM_CellularEntries configuration service provider (CSP)](https://msdn.micro
See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and
[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values.
+## General
+
+Use **General > DataRoam** to set the default value for the **Default roaming options** option in the **Settings > cellular + SIM** area on the device. Select between **DoNotRoam**, **DomesticRoaming**, or **InternationalRoaming**.
+
## Policies
See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values.
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index 6f954aec14..097f2e9273 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -1,5 +1,5 @@
---
-title: DesktopBackgrounAndColors (Windows 10)
+title: DesktopBackgroundAndColors (Windows 10)
description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ ms.author: jdecker
ms.date: 08/21/2017
---
-# DesktopBackgrounAndColors (Windows Configuration Designer reference)
+# DesktopBackgroundAndColors (Windows Configuration Designer reference)
Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md
new file mode 100644
index 0000000000..28e15ade95
--- /dev/null
+++ b/windows/configuration/wcd/wcd-deviceinfo.md
@@ -0,0 +1,64 @@
+---
+title: DeviceInfo (Windows 10)
+description: This section describes the DeviceInfo settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# DeviceInfo (Windows Configuration Designer reference)
+
+Use to configure settings for DeviceInfo.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
+## PhoneMobileOperatorDisplayName
+
+Enter a friendly name for the mobile operator. This string is displayed in the support section of the **Settings > About** screen and in the ringtone list.
+
+## PhoneMobileOperatorName
+
+This setting is used for targeting phone updates. It must contain a code specified by Microsoft that corresponds to the mobile operator. These codes are provided in [Registry values for mobile operator IDs](https://msdn.microsoft.com/library/windows/hardware/dn772250.aspx). For open market phones, in which the mobile operator is not known, use the codes in [Registry values for carrier-unlocked phones](https://msdn.microsoft.com/library/windows/hardware/dn772248.aspx) instead.
+
+This string is not visible to the user.
+
+This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
+
+The [PhoneManufacturer](https://msdn.microsoft.com/library/windows/hardware/mt138328.aspx), [PhoneManufacturerModelName](https://msdn.microsoft.com/library/windows/hardware/mt138336.aspx), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
+
+
+
+## PhoneOEMSupportLink
+
+This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
+
+The default is an empty string (""), which means that a support link will not be displayed to the user.
+
+This setting varies by OEM.
+
+
+## PhoneSupportLink
+
+This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
+
+The default is an empty string (""), which means that a support link will not be displayed to the user.
+
+This setting varies by OEM.
+
+
+## PhoneSupportPhoneNumber
+
+Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
+
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 297225f5a1..a37c32bee6 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -12,7 +12,7 @@ ms.date: 08/21/2017
# DeviceManagement (Windows Configuration Designer reference)
-Use to...
+Use to configure device management settings.
## Applies to
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
new file mode 100644
index 0000000000..cea5973633
--- /dev/null
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -0,0 +1,116 @@
+---
+title: HotSpot (Windows 10)
+description: This section describes the HotSpot settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# HotSpot (Windows Configuration Designer reference)
+
+Use HotSpot settings to configure Internet sharing.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+>[!NOTE]
+>Although the HotSpot settings are available in advanced editing for multiple editions, the settings are only supported on devices running Windows 10 Mobile.
+
+## DedicatedConnections
+
+(Optional) Set DedicatedConnections to a semicolon-separated list of connections.
+
+Specifies the list of Connection Manager cellular connections that Internet sharing will use as public connections.
+
+By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections.
+
+Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
+
+The mapping policy will also include the connection specified in the TetheringNAIConnection value as well.
+
+ If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share.
+
+
+
+## Enabled
+
+Specify **True** to enable Internet sharing on the device or **False** to disable Internet sharing.
+
+If Enabled is initially set to **True**, the feature is turned off and the internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible.
+
+When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on.
+
+
+## MaxBluetoothUsers
+
+(Optional) Specify the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. Set MaxBluetoothUsers to an integer value between 1 and 7 inclusive. The default value is 7.
+
+
+## MaxUsers
+
+(Optional) Specify the maximum number of simultaneous users that can be connected to a device while sharing. Set MaxUsers to an integer value between 1 and 8 inclusive. The default value is 5.
+
+
+## MOAppLink
+
+(Optional) Enter an application link that points to a pre-installed application, provided by the mobile operator. that will help a user to subscribe to the mobile operator's Internet sharing service when Internet sharing is not provisioned or entitlement fails.
+
+Set MOAppLink to a valid app ID. The general format for the link is *app://MOappGUID*. For example, if your app ID is `12345678-9012-3456-7890-123456789012`, you must set the value to `app://12345678-9012-3456-7890-123456789012`.
+
+
+## MOHelpMessage
+
+(Optional) Enter a reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form:
+
+```
+@,-
+```
+
+Where `` is the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx).
+
+## MOHelpNumber
+
+(Optional) Enter a mobile operator–specified phone number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help.
+
+
+
+## MOInfoLink
+
+(Optional) Enter a mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature.
+
+## PeerlessTimeout
+
+(Optional) Enter the time-out period, in minutes, after which Internet sharing should automatically turn off if there are no active clients.
+
+Set PeerlessTimeout to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes.
+
+## PublicConnectionTimeout
+
+(Optional) Enter the time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available.
+
+Set PublicConnectionTimeout to any value between 1 and 60 inclusive. The default value is 20 minutes. A value of 0 is not supported.
+
+
+## TetheringNAIConnection
+
+(Optional) Specify the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. Set TetheringNAIConnection to the CDMA TetheringNAI Connection Manager cellular connection.
+
+If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node.
+
+Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.The mapping policy will also include the connection specified in the TetheringNAIConnection value as well.
+
+If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share.
+
+>[!NOTE]
+>CDMA phones are limited to one active data connection at a time. This means any application or service (such as e-mail or MMS) that is bound to another connection may not work while Internet sharing is turned on.
+
+
+
+
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 871e87042c..2f2ab14958 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -7,12 +7,18 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Messaging (Windows Configuration Designer reference)
-Use for settings related to Messaging.
+Use for settings related to Messaging and Commercial Mobile Alert System (CMAS).
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+>[!NOTE]
+>CMAS is now known as Wireless Emergency Alerts (WEA).
## Applies to
@@ -20,16 +26,70 @@ Use for settings related to Messaging.
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | X | | | |
-## GlobalSettings > ShowSendingStatus
+## GlobalSettings
+
+### DisplayCmasLifo
+
+Use this setting to change the order in which CMAS alert messages are displayed, from the default first in/first out (FIFO) message order to last in/first out (LIFO) message order.
+
+If the phone receives at least one CMAS alert message which has not been acknowledged by the user, and another CMAS alert message arrives on the phone, partners can configure the order in which the newly received alert messages are displayed on the phone regardless of the service category of the alert. Users will not be able to change the message order once it has been set.
+
+If partners do not specify a value for this customization, the default FIFO display order is used. Users will be able to acknowledge the messages in the reverse order they were received.
+
+When configured as **True**, you set a LIFO message order. When configured as **False**, you set a FIFO message order.
+
+### EnableCustomLineSetupDialog
+
+Enable this setting to allow custom line setup dialogs in the Messaging app.
+
+### ShowSendingStatus
+
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
-## PerSimSettings > _ICCID
+### VoicemailIntercept
-Use to configure settings for each subscriber identification module (SIM) card.
+Partners can define a filter that intercepts an incoming SMS message and triggers visual voicemail synchronization. The filtered message does not appear in the user’s conversation list.
+
+A visual voicemail sync is triggered by an incoming SMS message if the following conditions are met:
+
+- The message sender value starts with the string specified in the SyncSender setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
+
+- The body of the message starts with the string specified in the SyncPrefix setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
+
+- Visual voicemail is configured and enabled. For more information, see [Visual voicemail](https://msdn.microsoft.com/library/windows/hardware/dn790032.aspx).
+
+>[!NOTE]
+>These settings are atomic, so both SyncSender and SyncPrefix must be set.
+>
+>The SyncSender and SyncPrefix values vary for each mobile operator, so you must work with your mobile operators to obtain the correct or required values.
+
+Setting | Description
+--- | ---
+SyncPrefix | Specify a value for SyncPrefix that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be the keyword for the SMS notification.
+SyncSender | Specify a value for SyncSender that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be a short code of the mailbox server that sends a standard SMS notification.
+
+
+
+## PerSimSettings
+
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the folowing settings.
+
+### AllowMmsIfDataIsOff
+
+Setting | Description
+--- | ---
+AllowMmsIfDataIsOff | **True** allows MMS if data is off
+AllowMmsIfDataIsOffSupported | **True** shows the toggle for allowing MMS if data is turned off
+AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roaming
### AllowSelectAllContacts
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
Windows 10 Mobile supports the following select multiple recipients features:
@@ -55,31 +115,106 @@ Specify whether MMS messages are automatically downloaded.
| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
+
### DefaultContentLocationUrl
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
### ErrorCodeEnabled
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+### EmergencyAlertOptions
-### ImsiAuthenticationToken
+Configure settings for CMAS alerts.
+
+Setting | Description
+--- | ---
+CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts
+CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts
+CmasSevereAlertEnabled | **True** enables the device to receive severe alerts
+EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu
+SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option
+
+
+### General
+
+Setting | Description
+--- | ---
+AllowSelectAllContacts | Set to **True** to show the **select all contacts/unselect all** menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. Windows 10 Mobile supports the following select multiple recipients features:- A multi-select chooser, which enables users to choose multiple contacts.- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
+AllowSMStoSMTPAddress | Allow SMS to SMTP address.
+AssistedDialingMcc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Country Code (MCC) to use for sending SMS.
+AssistedDialingMnc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Network Code (MNC) to use for sending SMS.
+AssistedDialingPlusCodeSupportOverride | For devices that support IMS over SMS, you can override support for the assisted dialing plus (+) code for SMS by setting AssistedDialingPlusCodeSupportOverride. If enabled, the OS will not convert the plus (+) code to the proper assisted number when the user turns on the dialing assist option.
+AutoRetryDownload | You can configure the messaging app to automatically retry downloading an MMS message if the initial download attempt fails. When this customization is enabled, the download is retried 3 times at 20-, 40-, and 60-second intervals.
+BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages. If you specify the same port that Windows 10 Mobile already recognizes as an Emergency Alert port (a CMAS or ETWS port number) and a cell broadcast message is received on that port, the user will only receive the message once. The message that is received will be displayed as an Emergency Alert message.
+ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages.
+DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC.
+ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages.
+ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients.
+MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
+RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
+SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
+ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
+SmscPanelDisabled | **True** disables the short message service center (SMSC) panel.
+SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses.
+TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:- 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.- 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.- 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.- 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP.
+UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.- Alternatively, you can directly set the URI of the user agent profile on the phone.Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`.
+UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature.
+UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
+UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message.
+WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated
+
+## ImsiAuthenticationToken
+
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
Configure whether MMS messages include the IMSI in the GET and POST header.
Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+
+### LatAlertOptions
+
+Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
+
### MaxRetryCount
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+### MMSGroupText
+
+Set options for group messages sent to multiple people.
+
+Setting | Description
+--- | ---
+MMSGroupText | **True** enables group messages to multiple people sent as MMS.
+ShowMMSGroupTextUI | **True** shows the toggle for group text in messaging settings.
+ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possible additional charges before sending a group text as MMS.
+
+### NIAlertOptions
+
+Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### RcsOptions
@@ -103,8 +238,18 @@ Set options related to MMS message notifications. You can specify whether users
| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
+### SMSDeliveryNotify
+
+Setting | Description
+--- | ---
+DeliveryNotifySupported | Set to **True** to enable SMS delivery confirmation.
+SMSDeliveryNotify | Set to **True** to toggle SMS delivery confirmation.
+
### TargetVideoFormat
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify the transcoding to use for video files sent as attachments in MMS messages.
Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
@@ -119,6 +264,9 @@ Set TargetVideoFormat to one of the following values to configure the default tr
### UAProf
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
There are two ways to correlate a user agent profile with a given phone:
@@ -130,6 +278,9 @@ Set **UAProf** to the full URI of your user agent profile file. Optionally, you
### UAProfToken
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
@@ -137,6 +288,9 @@ Optionally, in addition to specifying **UAProf**, you can also specify the custo
### UserAgentString
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
Set **UserAgentString** to the new user agent string for MMS in its entirely.
By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
@@ -147,16 +301,17 @@ By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber
| Setting | Description |
| --- | --- |
| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
-| APPID | Set to `w4` |
+| APPID | Set to `w4`. |
| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to . If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). |
| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
-
-
### WapPushTechnology
+>[!NOTE]
+>These settings are removed in Windows 10, version 1709.
+
For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
| Value | Description |
@@ -167,5 +322,4 @@ For networks that require non-standard handling of single-segment incoming MMS W
## Related topics
-
-- [w4 APPLICATION CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/w4-application-csp)
\ No newline at end of file
+ - [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
index 98bae12f8b..eb663dfd65 100644
--- a/windows/configuration/wcd/wcd-modemconfigurations.md
+++ b/windows/configuration/wcd/wcd-modemconfigurations.md
@@ -7,12 +7,12 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# ModemConfiguration (Windows Configuration Designer reference)
-Documentation not available at this time.
+ModemConfiguration settings are removed in Windows 10, version 1709.
## Applies to
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index f672b70b05..2cef9b94d5 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Policies (Windows Configuration Designer reference)
@@ -43,8 +43,8 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Windows Store apps are allowed | X | X | | | |
-| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Windows Store is allowed | X | X | | | |
+| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | |
+| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | |
| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
@@ -76,9 +76,9 @@ This section describes the **Policies** settings that you can configure in [prov
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
-| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
-| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
-| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | | |
+| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X |
+| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | | X |
+| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | X | |
## Browser
@@ -104,7 +104,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | |
| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
-| EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
+| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | |
| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | |
@@ -130,7 +130,7 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | | |
+| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | |
| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | |
| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | |
| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | |
@@ -141,6 +141,12 @@ This section describes the **Policies** settings that you can configure in [prov
| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | |
| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | |
+## CredentialProviders
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | |
+
## Cryptography
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
@@ -200,6 +206,11 @@ This section describes the **Policies** settings that you can configure in [prov
| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+## DeviceGuard
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+[EnableVirtualizationBasedSecurity](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | X | | | | |
## DeviceLock
@@ -238,18 +249,24 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | | |
| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
-| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | | | | |
+| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
-| [AllowWindowsConsumerFeatures](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
+| [AllowWindowsConsumerFeatures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+## ExploitGuard
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | X | X | | | |
+
## Games
@@ -310,27 +327,29 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | | |
| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
+[PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | |
## Start
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderVideos |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
+| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | |
| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
@@ -356,6 +375,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | |
| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
## TextInput
@@ -390,25 +410,35 @@ This section describes the **Policies** settings that you can configure in [prov
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X |
-| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | X | X |
| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | X | X |
| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X |
-| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. | X | X | X | X | X |
-| AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
+| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
+| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X |
| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | X |
| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X |
| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X |
+| [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X |
+| [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X |
| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
+| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | X | X |
| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X |
| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X |
| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X |
| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
| PhoneUpdateRestrictions | Deprecated | | X | | | |
| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
+| [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X |
| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X ||
| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X |
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index a22b949f8b..0cdf6b108d 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -60,4 +60,4 @@ Use these settings to configure policies for shared PC mode.
- [Set up shared or guest PC](../set-up-shared-or-guest-pc.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=wcd-sharedpc.md).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md
new file mode 100644
index 0000000000..f6f910591d
--- /dev/null
+++ b/windows/configuration/wcd/wcd-textinput.md
@@ -0,0 +1,206 @@
+---
+title: TextInput (Windows 10)
+description: This section describes the TextInput settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# TextInput (Windows Configuration Designer reference)
+
+Use TextInput settings to configure text intelligence and keyboard for mobile devices.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| Intelligence > DisablePredictions | | X | | | |
+| PreEnabledKeyboard | | X | | | |
+
+## Intelligence
+
+Set **DisablePredictions** to the locale or alternative input language that must have the text intelligence features disabled. For example, to disable text correction and suggestions for English (UK), set the value of **DisablePredictions** to `en-gb`.
+
+## PreEnabledKeyboard
+
+In addition to the automatically-enabled default keyboard, OEMs may choose to pre-enable more keyboards for a particular market.
+
+During phone bring-up, OEMs must set the boot locale, or default locale, for the phone. During first boot, Windows Phone reads the locale setting and automatically enables a default keyboard based on the locale to keyboard mapping table in Set languages and locales.
+
+The mapping works for almost all regions and additional customizations are not needed unless specified in the pre-enabled keyboard column in Set languages and locales. If an OEM chooses to pre-enable more keyboards for a particular market, they can do so by specifying the setting. Pre-enabled keyboards will automatically be enabled during boot. Microsoft recommends that partners limit the number of pre-enabled keyboards to those languages that correspond to the languages spoken within the market.
+
+
+PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable. As shown below, the format to specify a particular keyboard must be: Locale code.Locale value. See the following table for more information on the locale codes and values that you can use. The setting Value must be set to 1 to enable the keyboard.
+
+The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
+
+>[!NOTE]
+>The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK.
+
+
+Name | Locale code | Keyboard layout value
+--- | --- | ---
+Afrikaans (South Africa) | af-ZA | 1
+Albanian | sq-AL | 1
+Amharic | am-ET | 1
+Arabic | ar-SA | 1
+Armenian | hy-AM | 1
+Assamese - INSCRIPT | as-IN | 1
+Azerbaijani (Cyrillic) | az-Cyrl-AZ | 1
+Azerbaijani (Latin) | az-Latn-AZ | 1
+Bangla (Bangladesh) - 49 key | bn-BD | 1
+Bangla (India) - INSCRIPT |bn-IN|1
+Bangla (India) - Phonetic|bn-IN|2
+Bashkir|ba-RU|1
+Basque|eu-ES|1
+Belarusian|be-BY|1
+Bosnian (Cyrillic)|bs-Cyrl-BA|1
+Bosnian (Latin)|bs-Latn-BA|1
+Bulgarian|bg-BG|1
+Catalan|ca-ES|1
+Central Kurdish|ku-Arab-IQ|1
+Cherokee|chr-Cher-US|1
+Chinese Simplified QWERTY|zh-CN|1
+Chinese Simplified - 12-key|zh-CN|2
+Chinese Simplified - Handwriting|zh-CN|3
+Chinese Simplified - Stroke|zh-CN|4
+Chinese Traditional (Hong Kong SAR) - Cangjie|zh-HK|1
+Chinese Traditional (Hong Kong SAR) - Quick|zh-HK|2
+Chinese Traditional (Hong Kong SAR) - Stroke|zh-HK|3
+Chinese Traditional (Taiwan) - BoPoMoFo|zh-TW|1
+Chinese Traditional (Taiwan) - Handwriting|zh-TW|2
+Croatian|hr-HR|1
+Czech|cs-CZ|1
+Danish|da-DK|1
+Divehi|dv-MV|1
+Dutch (Belgium)|nl-BE|1
+Dutch (Netherlands)|nl-NL|1
+Dzongkha|dz-BT|1
+English (Australia)|en-AU|1
+English (Canada)|en-CA|1
+English (India)|en-IN|1
+English (Ireland)|en-IE|1
+English (United Kingdom)|en-GB|1
+English (United States)|en-US|1
+Estonian|et-EE|1
+Faroese|fo-FO|1
+Filipino|fil-PH|1
+Finnish|fi-FI|1
+French (Belgium)|fr-BE|1
+French (Canada)|fr-CA|1
+French (France)|fr-FR|1
+French (Switzerland)|fr-CH|1
+Galician|gl-ES|1
+Georgian|ka-GE|1
+German (Germany)|de-DE|1
+German (Switzerland)|de-CH|1
+Greek|el-GR|1
+Greenlandic|kl-GL|1
+Guarani|gn-PY|1
+Gujarati - INSCRIPT|gu-IN|1
+Gujarati - Phonetic|gu-IN|2
+Hausa|ha-Latn-NG|1
+Hebrew|he-IL|1
+Hindi - 37-key|hi-IN|1
+Hindi - INSCRIPT|hi-IN|3
+Hindi - Phonetic|hi-IN|2
+Hinglish|hi-Latn|1
+Hungarian|hu-HU|1
+Icelandic|is-IS|1
+Igbo|ig-NG|1
+Indonesian|id-ID|1
+Inuktitut - Latin|iu-Latn-CA|1
+Irish|ga-IE|1
+Italian|it-IT|1
+Japanese - 12-key|ja-JP|1
+Japanese - QWERTY|ja-JP|2
+Kannada - INSCRIPT|kn-IN|1
+Kannada - Phonetic|kn-IN|2
+Kazakh|kk-KZ|1
+Khmer|km-KH|1
+Kinyarwanda|rw-RW|1
+Kiswahili|sw-KE|1
+Konkani|kok-IN|1
+Korean - 12-key Chunjiin|ko-KR|2
+Korean - 12-key Naratgeul|ko-KR|3
+Korean - 12-key Sky|ko-KR|4
+Korean - QWERTY|ko-KR|1
+Kyrgyz|ky-KG|1
+Lao|lo-LA|1
+Latvian|lv-LV|1
+Lithuanian|lt-LT|1
+Luxembourgish|lb-LU|1
+Macedonian|mk-MK|1
+Malay (Brunei Darussalam)|ms-BN|1
+Malay (Malaysia)|ms-MY|1
+Malayalam - INSCRIPT|ml-IN|1
+Malayalam - Phonetic|ml-IN|2
+Maltese|mt-MT|1
+Maori|mi-NZ|1
+Marathi - INSCRIPT|mr-IN|1
+Marathi - Phonetic|mr-IN|2
+Mongolian - Cyrillic|mn-MN|1
+Mongolian - Traditional Mongolian|mn-Mong-CN|1
+Myanmar|my-MM|1
+Nepali|ne-NP|1
+Norwegian - Bokmal|nb-NO|1
+Norwegian - Nynorsk|ny-NO|1
+Odia - INSCRIPT|or-IN|1
+Odia - Phonetic|or-IN|2
+Pashto|ps-AF|1
+Persian|fa-IR|1
+Polish|pl-PL|1
+Portuguese (Brazil)|pt-BR|1
+Portuguese (Portugal)|pt-PT|1
+Punjabi - INSCRIPT|pa-IN|1
+Punjabi - Phonetic|pa-IN|2
+Romanian|ro-RO|1
+Romansh|rm-CH|1
+Russian|ru-RU|1
+Sakha|sah-RU|1
+Sami, Northern (Norway)|se-NO|1
+Sami, Northern (Sweden)|se-NO|1
+Scottish Gaelic|gd-GB|1
+Serbian - Cyrillic|sr-Cyrl-RS|1
+Serbian - Latin|sr-Latn-RS|1
+Sesotho sa Leboa|nso-ZA|1
+Setswana|tn-ZA|1
+Sinhala|si-LK|1
+Slovak|sk-SK|1
+Slovenian|sl-SI|1
+Sorbian, Upper|hsb-DE|1
+Spanish (Mexico)|es-MX|1
+Spanish (Spain)|es-ES|1
+Swedish|sv-SE|1
+Syriac|syr-SY|1
+Tajik|tg-Cyrl-TJ|1
+Tamazight (Central Atlas) - Tifinagh|tzm-Tfng-MA|1
+Tamazight (Central Atlas) - Latin|tzm-Latn-DZ|1
+Tamil - INSCRIPT|ta-IN|1
+Tamil - Phonetic|ta-IN|2
+Tatar|tt-RU|1
+Telugu - INSCRIPT|te-IN|1
+Telugu - Phonetic|te-IN|2
+Thai|th-TH|1
+Tibetan|bo-CN|1
+Turkish|tr-TR|1
+Turkmen|tk-TM|1
+Ukrainian|uk-UA|1
+Urdu|ur-PK|1
+Uyghur|ug-CN|1
+Uzbek - Cyrillic|uz-Cyrl-UZ|1
+Uzbek - Latin|uz-Latn-UZ|1
+Valencian|ca-ES-valencia|1
+Vietnamese - QWERTY|vi-VN|1
+Vietnamese - TELEX|vi-VN|2
+Vietnamese - VNI|vi-VN|3
+Welsh|cy-GB|1
+Wolof|N/A|1
+Xhosa|xh-ZA|1
+Yoruba|yo-NG|1
+Zulu|zu-ZA|1
+
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 50f88c2fdc..e5fde4a704 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# UniversalAppInstall (reference)
@@ -24,6 +24,7 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor
| --- | :---: | :---: | :---: | :---: | :---: |
| [DeviceContextApp](#devicecontextapp) | X | | X | | |
| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
+| [StoreInstall](#storeinstall) | X | X | X | X | X |
| [UserContextApp](#usercontextapp) | X | X | X | X | X |
| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X |
@@ -55,6 +56,19 @@ Use to specify the license file for the provisioned app.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
+## StoreInstall
+
+Use to install an app from the Microsoft Store for Business.
+
+1. Enter a package family name, and then click **Add**.
+2. Configure the following required settings for the app package.
+
+Setting | Description
+--- | ---
+Flags | Description not available at this time.
+ProductID | Enter the product ID. [Learn how to find the product ID.](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+
## UserContextApp
Use to add a new user context app.
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 70cd723052..3c2049687f 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# UniversalAppUninstall (reference)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 080f9e469f..c5ab2a15e7 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Windows Configuration Designer provisioning settings (reference)
@@ -20,11 +20,13 @@ This section describes the settings that you can configure in [provisioning pack
| --- | :---: | :---: | :---: | :---: | :---: |
| [Accounts](wcd-accounts.md) | X | X | X | X | X |
| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
-| [ApplicationManagement](wcd-applicationmanagement.md) | X | X | X | X | X |
-| [AssignedAccess](wcd-assignedaccess.md) | X | X | | X | |
+| [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X |
+| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
| [AutomaticTime](wcd-automatictime.md) | | X | | | |
| [Browser](wcd-browser.md) | X | X | X | X | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
+| [Calling](wcd-calling.md) | | X | | | |
+| [CellCore](wcd-cellcore.md) | X | X | | | |
| [Cellular](wcd-cellular.md) | X | | | | |
| [Certificates](wcd-certificates.md) | X | X | X | X | X |
| [CleanPC](wcd-cleanpc.md) | X | | | | |
@@ -34,6 +36,7 @@ This section describes the settings that you can configure in [provisioning pack
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | |
+| [DeviceInfo](wcd-deviceinfo.md) | | X | | | |
| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
| [DMClient](wcd-dmclient.md) | X | X | X | X | X |
| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | |
@@ -41,6 +44,7 @@ This section describes the settings that you can configure in [provisioning pack
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
| [FirstExperience](wcd-firstexperience.md) | | | | X | |
| [Folders](wcd-folders.md) |X | X | X | X | |
+| [HotSpot](wcd-hotspot.md) | X | X | X | X | X |
| [InitialSetup](wcd-initialsetup.md) | | X | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
| [Licensing](wcd-licensing.md) | X | | | | |
@@ -65,6 +69,7 @@ This section describes the settings that you can configure in [provisioning pack
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
| [TabletMode](wcd-tabletmode.md) |X | X | X | X | |
| [TakeATest](wcd-takeatest.md) | X | | | | |
+| [TextInput](wcd-textinput.md) | | X | | | |
| [Theme](wcd-theme.md) | | X | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | |
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 35ab57c372..3a0a9aec87 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -111,7 +111,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-start-layout-options-and-policies.md).
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
index 9f56ccf841..f540930a40 100644
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -1,6 +1,6 @@
---
-title: Windows 10, version 1703 Diagnostic Data (Windows 10)
-description: Use this article to learn about the types of that is collected the the Full telemetry level.
+title: Windows 10 diagnostic data for the Full telemetry level (Windows 10)
+description: Use this article to learn about the types of data that is collected the the Full telemetry level.
keywords: privacy,Windows 10
ms.prod: w10
ms.mktglfcycl: manage
@@ -8,13 +8,15 @@ ms.sitesec: library
ms.localizationpriority: high
author: eross-msft
ms.author: lizross
-ms.date: 09/14/2017
+ms.date: 10/17/2017
---
-# Windows 10, version 1703 Diagnostic Data
+# Windows 10 diagnostic data for the Full telemetry level
-Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
+**Applies to:**
+- Windows 10, version 1703 and later
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md).
The data covered in this article is grouped into the following categories:
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 2f86c87a24..00841c6aa9 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -79,7 +79,7 @@ Pay attention to the checkbox in **Options**. In addition to providing the path
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-spotlight.md).
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 5055de6869..0ce495c54d 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -213,13 +213,12 @@
#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
-#### [Walkthrough: use Intune to configure Windows Update for Business](update/waas-wufb-intune.md)
+#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
-#### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
@@ -240,6 +239,11 @@
### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
#### [Use Update Compliance](update/update-compliance-using.md)
+##### [Need Attention! report](update/update-compliance-need-attention.md)
+##### [Security Update Status report](update/update-compliance-security-update-status.md)
+##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
+##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
+##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
### [Device Health](update/device-health-monitor.md)
#### [Get started with Device Health](update/device-health-get-started.md)
#### [Using Device Health](update/device-health-using.md)
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index 3442d7e48a..344c93c0af 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -6,12 +6,17 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
-ms.date: 06/28/2017
+ms.date: 10/17/2017
---
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
+## RELEASE: Windows 10, version 1709
+| New or changed topic | Description |
+|----------------------|-------------|
+| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. |
+
## July 2017
| New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index a3c44c5ab1..dd7c44f36e 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
-ms.date: 08/23/2017
+ms.date: 10/10/2017
author: greg-lindsay
---
@@ -22,12 +22,22 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
-1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:
+1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
3. The admin can now assign subscription licenses to users.
+>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
+
+1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+2. Click on **Subscriptions**.
+3. Click on **Online Services Agreement List**.
+4. Enter your agreement number, and then click **Search**.
+5. Click the **Service Name**.
+6. In the **Subscription Contact** section, click the name listed under **Last Name**.
+7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
+
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
@@ -74,9 +84,9 @@ The following methods are available to assign licenses:
Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
-### Step 1: Join users’ devices to Azure AD
+### Step 1: Join Windows 10 Pro devices to Azure AD
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
**To join a device to Azure AD the first time the device is started**
@@ -125,7 +135,18 @@ Now the device is Azure AD joined to the company’s subscription.
Now the device is Azure AD joined to the company’s subscription.
-### Step 2: Sign in using Azure AD account
+### Step 2: Verify that Pro edition is activated
+
+Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
+
+
+
+ **Figure 7a - Windows 10 Pro activation in Settings**
+
+Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled.
+
+
+### Step 3: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
@@ -133,7 +154,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
**Figure 8. Sign in by using Azure AD account**
-### Step 3: Verify that Enterprise edition is enabled
+### Step 4: Verify that Enterprise edition is enabled
You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 4662c2d40d..491211e7a9 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -643,4 +643,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Configure MDT settings](configure-mdt-settings.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=create-a-windows-10-reference-image.md).
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index f7c08f33ec..efbe5a0d36 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -653,4 +653,4 @@ Figure 14. The partitions when deploying an UEFI-based machine.
[Configure MDT settings](configure-mdt-settings.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=deploy-a-windows-10-image-using-mdt.md).
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index 2f9a7b58e0..71ba215d06 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -93,4 +93,4 @@ The information in this guide is designed to help you deploy Windows 10. In ord
[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
\ No newline at end of file
diff --git a/windows/deployment/images/sa-evolution.png b/windows/deployment/images/sa-evolution.png
new file mode 100644
index 0000000000..a676799be2
Binary files /dev/null and b/windows/deployment/images/sa-evolution.png differ
diff --git a/windows/deployment/images/sa-pro-activation.png b/windows/deployment/images/sa-pro-activation.png
new file mode 100644
index 0000000000..4066c45dad
Binary files /dev/null and b/windows/deployment/images/sa-pro-activation.png differ
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index d898782a7c..ee77f2ce0e 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -401,4 +401,4 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=mbr-to-gpt.md).
\ No newline at end of file
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 8051af1421..05a7ab9827 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 10/10/2017
---
# Change history for Update Windows 10
@@ -15,6 +15,16 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
+
+## September 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New |
+
## July 2017
All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes).
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 9df4b51c9b..7c8f74f2cc 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -5,6 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.date: 10/17/2017
ms.pagetype: deploy
author: jaimeo
---
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
index f620c80953..9833ec58dc 100644
--- a/windows/deployment/update/device-health-monitor.md
+++ b/windows/deployment/update/device-health-monitor.md
@@ -5,6 +5,8 @@ keywords: oms, operations management suite, wdav, health, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.localizationpriority: medium
+ms.date: 10/17/2017
ms.pagetype: deploy
author: jaimeo
---
@@ -15,9 +17,9 @@ author: jaimeo
Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity.
-Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This preview release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health (preview) from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
+Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
Device Health provides the following:
@@ -34,6 +36,19 @@ See the following topics in this guide for detailed information about configurin
An overview of the processes used by the Device Health solution is provided below.
+## Device Health licensing
+
+Use of Windows Analytics Device Health requires one of the following licenses:
+
+- Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance
+- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
+- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
+- Windows VDA E3 or E5 per-device or per-user subscription
+
+
+You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health.
+
+
## Device Health architecture
The Device Health architecture and data flow is summarized by the following five-step process:
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
index 9fa09d1431..5892aacc02 100644
--- a/windows/deployment/update/device-health-using.md
+++ b/windows/deployment/update/device-health-using.md
@@ -4,6 +4,7 @@ description: Explains how to begin usihg Device Health.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.date: 10/17/2017
ms.pagetype: deploy
author: jaimeo
---
diff --git a/windows/deployment/update/images/OMS-after-adding-solution.jpg b/windows/deployment/update/images/OMS-after-adding-solution.jpg
index d06a896f6e..f3a5d855ff 100644
Binary files a/windows/deployment/update/images/OMS-after-adding-solution.jpg and b/windows/deployment/update/images/OMS-after-adding-solution.jpg differ
diff --git a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png
index eb2cabdcfd..d093eff951 100644
Binary files a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png and b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN-sterile.png b/windows/deployment/update/images/WIPNEWMAIN-sterile.png
index 5efc5250c1..a210aa9ed1 100644
Binary files a/windows/deployment/update/images/WIPNEWMAIN-sterile.png and b/windows/deployment/update/images/WIPNEWMAIN-sterile.png differ
diff --git a/windows/deployment/update/images/WIPappID-sterile.png b/windows/deployment/update/images/WIPappID-sterile.png
index 43bad68ed0..e7b5ae5571 100644
Binary files a/windows/deployment/update/images/WIPappID-sterile.png and b/windows/deployment/update/images/WIPappID-sterile.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile-sterile.png b/windows/deployment/update/images/dev-health-main-tile-sterile.png
index 1619d8bf70..afe19b622e 100644
Binary files a/windows/deployment/update/images/dev-health-main-tile-sterile.png and b/windows/deployment/update/images/dev-health-main-tile-sterile.png differ
diff --git a/windows/deployment/update/images/device-crash-history2-sterile.png b/windows/deployment/update/images/device-crash-history2-sterile.png
index 18056ed801..e5a70f2d7d 100644
Binary files a/windows/deployment/update/images/device-crash-history2-sterile.png and b/windows/deployment/update/images/device-crash-history2-sterile.png differ
diff --git a/windows/deployment/update/images/device-reliability2-sterile.png b/windows/deployment/update/images/device-reliability2-sterile.png
index 28fbf3725b..bff4878fa3 100644
Binary files a/windows/deployment/update/images/device-reliability2-sterile.png and b/windows/deployment/update/images/device-reliability2-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-1-sterile.png b/windows/deployment/update/images/driver-detail-1-sterile.png
index 7dcd86366f..03551d5783 100644
Binary files a/windows/deployment/update/images/driver-detail-1-sterile.png and b/windows/deployment/update/images/driver-detail-1-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-2-sterile.png b/windows/deployment/update/images/driver-detail-2-sterile.png
index e5fa480c3e..66023722b3 100644
Binary files a/windows/deployment/update/images/driver-detail-2-sterile.png and b/windows/deployment/update/images/driver-detail-2-sterile.png differ
diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png
index 3ab72d10d2..ea065590b9 100644
Binary files a/windows/deployment/update/images/uc-10.png and b/windows/deployment/update/images/uc-10.png differ
diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG
new file mode 100644
index 0000000000..24c37d4279
Binary files /dev/null and b/windows/deployment/update/images/uc-emptyworkspacetile.PNG differ
diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG
new file mode 100644
index 0000000000..ae6a38502f
Binary files /dev/null and b/windows/deployment/update/images/uc-featureupdatestatus.PNG differ
diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG
new file mode 100644
index 0000000000..5bce136cd1
Binary files /dev/null and b/windows/deployment/update/images/uc-filledworkspacetile.PNG differ
diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG
new file mode 100644
index 0000000000..7456db62c0
Binary files /dev/null and b/windows/deployment/update/images/uc-filledworkspaceview.PNG differ
diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG
new file mode 100644
index 0000000000..50b6d04699
Binary files /dev/null and b/windows/deployment/update/images/uc-needattentionoverview.PNG differ
diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG
new file mode 100644
index 0000000000..dca364daf6
Binary files /dev/null and b/windows/deployment/update/images/uc-overviewblade.PNG differ
diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png
new file mode 100644
index 0000000000..f52087a4a7
Binary files /dev/null and b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png differ
diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG
new file mode 100644
index 0000000000..776df89dc3
Binary files /dev/null and b/windows/deployment/update/images/uc-securityupdatestatus.PNG differ
diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG
new file mode 100644
index 0000000000..e3f6990348
Binary files /dev/null and b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG differ
diff --git a/windows/deployment/update/images/waas-wipfb-policy1.png b/windows/deployment/update/images/waas-wipfb-policy1.png
new file mode 100644
index 0000000000..1fc89ecd2f
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-policy1.png differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 6ba9b74048..2295a1f28e 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -49,4 +49,4 @@ Windows as a service provides a new way to think about building, deploying, and
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=index.md).
\ No newline at end of file
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index fddd959017..91d87362f3 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -6,10 +6,30 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/14/2017
+ms.date: 10/10/2017
---
-# Olympia Corp enrollment guidelines
+# Olympia Corp
+
+## What is Windows Insider Lab for Enterprise and Olympia Corp?
+
+Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features*. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
+
+As an Olympia user, you will have an opportunity to:
+
+- Use various Enterprise features like WIP (Windows Information Protection), ATP (Advanced Threat Protection), WDAG (Windows Defender Application Guard), and APP-V (Application virtualization).
+- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
+- Validate and test pre-release software in your environment.
+- Provide feedback.
+- Interact with engineering team members through a variety of communication channels.
+
+\* Enterprise features may have reduced, or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
+
+For more information about Olympia Corp, please see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
+
+To request an Olympia Corp account, please fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
+
+## Enrollment guidelines
Welcome to Olympia Corp. Here are the steps to add your account to your PC.
@@ -23,7 +43,7 @@ Choose one of the following two enrollment options:
-## Keep your current Windows 10 edition
+### Keep your current Windows 10 edition
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -57,7 +77,7 @@ Choose one of the following two enrollment options:
-## Upgrade your Windows 10 edition from Pro to Enterprise
+### Upgrade your Windows 10 edition from Pro to Enterprise
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
new file mode 100644
index 0000000000..46de2943e8
--- /dev/null
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -0,0 +1,34 @@
+---
+title: Update Compliance - Feature Update Status report
+description: an overview of the Feature Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Feature Update Status
+
+
+
+The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels).
+
+## Overall Feature Update Status
+
+The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and OS Version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category.
+
+## Deployment Status by Servicing Channel
+
+To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in.
+
+Refer to the following list for what each state means:
+* **Installed** devices are devices that have completed installation for the given update.
+* When a device is counted as **In Progress**, it has begun the feature update installation.
+* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days.
+* Devices that have failed the given feature update installation are counted as **Update failed**.
+* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
+
+Clicking on any row will navigate to the query relevant to that feature update. These queries are attached to [Perspectives](update-compliance-perspectives.md) that contain detailed deployment data for that update.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 8e3da008da..41369d98ef 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -6,7 +6,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: jaimeo
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
---
# Get started with Update Compliance
@@ -14,9 +16,9 @@ author: jaimeo
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
-1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
-2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
-3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
+1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
+2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
## Update Compliance prerequisites
@@ -34,7 +36,7 @@ Update Compliance has the following requirements:
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
- For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
+ For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
@@ -43,63 +45,37 @@ Update Compliance has the following requirements:
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already.
+If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
-1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
-
-
- [](images/uc-02.png)
-
-
-2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
-
- [](images/uc-03.png)
-
-
-3. Create a new OMS workspace.
-
-
- [](images/uc-04.png)
-
-4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
-
-
- [](images/uc-05.png)
-
-
-5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
-
-
- [](images/uc-06.png)
-
-
-6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
-
-
- [](images/uc-07.png)
-
-
-7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
-
-
- [](images/uc-08.png)
-
-
-8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
-
-
- [](images/uc-09.png)
-
-
-9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
-
-
- [](images/uc-10.png)
-
-
+1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+ 
+
+2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+ 
+
+3. Create a new OMS workspace.
+ 
+
+4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
+ ](images/uc-05.png)
+
+5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
+ 
+
+6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
+ 
+
+7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
+ 
+
+8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
+ 
+
+9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
+ 
+
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
>[!NOTE]
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 2619584ebd..95e64fcee6 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -6,7 +6,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: greg-lindsay
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
---
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
@@ -15,7 +17,7 @@ author: greg-lindsay
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
-Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
@@ -52,7 +54,7 @@ These steps are illustrated in following diagram:
>[!NOTE]
->This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
new file mode 100644
index 0000000000..5aefff3779
--- /dev/null
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -0,0 +1,38 @@
+---
+title: Update Compliance - Need Attention! report
+description: an overview of the Update Compliance Need Attention! report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Need Attention!
+
+
+
+The “Need Attention!” section provides a breakdown of all device issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade is shown within this section that contains queries that provide values but do not fit within any other main section.
+
+>[!NOTE]
+>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers may not add up.
+
+The different issues are broken down by Device Issues and Update Issues, which are iterated below:
+
+## Device Issues
+
+* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices may be more vulnerable and should be investigated and updated.
+* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer be serviced, and may be vulnerable. These devices should be updated to a supported version of Windows 10.
+
+## Update Issues
+
+* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors may be transient, but should be investigated further to be sure.
+* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days.
+
+Clicking on any of the issues will navigate you to the Log Search view with all devices that have the given issue.
+
+## List of Queries
+
+The List of Queries blade resides within the “Need Attention!” section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md
new file mode 100644
index 0000000000..f039195996
--- /dev/null
+++ b/windows/deployment/update/update-compliance-perspectives.md
@@ -0,0 +1,56 @@
+---
+title: Update Compliance - Perspectives
+description: an overview of Update Compliance Perspectives
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Perspectives
+
+
+
+Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
+
+There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates.
+
+The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered.
+
+The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
+
+The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
+
+| State | Description |
+| --- | --- |
+| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
+| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
+| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
+| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. |
+| Cancelled | The update was cancelled. |
+| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
+| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
+| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
+
+The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
+
+| State | Description |
+| --- | --- |
+| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. |
+| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. |
+| Update offered | The device has been offered the update, but has not begun downloading it. |
+| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
+| Download Started | The update has begun downloading on the device. |
+| Download Succeeded | The update has successfully completed downloading. |
+| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
+| Install Started | Installation of the update has begun. |
+| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
+| Reboot Pending | The device has a scheduled reboot to apply the update. |
+| Reboot Initiated | The scheduled reboot has been initiated. |
+| Update Completed/Commit | The update has successfully installed. |
+
+>[!NOTE]
+>Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
new file mode 100644
index 0000000000..b361f73d30
--- /dev/null
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -0,0 +1,32 @@
+---
+title: Update Compliance - Security Update Status report
+description: an overview of the Security Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Security Update Status
+
+
+
+The Security Update Status section provides information about [quality updates](waas-quick-start.md#definitions) across all devices. The section tile within the O[verview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update to provide the most essential data without needing to navigate into the section. However, within the section the Overall Quality Update Status blade also considers whether devices are up-to-date on non-security updates.
+
+>[!NOTE]
+>It is possible for the percentage of devices on the latest security update to differ from devices that are up-to-date on all quality updates. This is because some devices may have non-security updates that are applicable to them.
+
+The **Overall Quality Update Status** blade provides a visualization of devices that are and are not up-to-date on the latest quality updates (not just security updates). Below the visualization are all devices further broken down by OS Version and a count of how many are up-to-date and not up-to-date. Within the “Not up-to-date” column, the count of update failures is also given.
+
+The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
+
+What follows is a breakdown of the different deployment states reported by devices:
+* **Installed** devices are devices that have completed installation for the given update.
+* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using WU for Business Settings.
+* Devices that have **Update Failed**, failed updating at some point during the installation process of the given security update.
+* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
+
+The rows of each tile in this section are interactive; clicking on them will navigate you to the query that is representative of that row and section. These queries are also attached to [Perspectives](update-compliance-perspectives.md) with detailed deployment data for that update.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index a49a7adb06..07e1970441 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -5,12 +5,14 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: greg-lindsay
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
---
-# Use Update Compliance to monitor Windows Updates
+# Use Update Compliance
-This section describes how to use Update Compliance to monitor Windows Updates and troubleshoot update failures on your network.
+In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
Update Compliance:
@@ -18,469 +20,60 @@ Update Compliance:
- Enables you to maintain a high-level perspective on the progress and status of updates across all devices.
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
+- Summarizes Windows Defender Antivirus status for devices that use it.
>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
-In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
+In Update Compliance, data is separated into vertically-sliced sections. Each section is referred to as a blade. Within a blade, there may or may not be multiple tiles, which serve to represent the data in different ways. Blades are summarized by their title in the upper-left corner above it. Every number displayed in OMS is the direct result of one or more queries. Clicking on data in blades will often navigate you to the query view, with the query used to produce that data. Some of these queries have perspectives attached to them; when a perspective is present, an additional tab will load in the query view. These additional tabs provide blades containing more information relevant to the results of the query.
-Update Compliance has the following primary blades:
+## The Update Compliance Tile
+After Update Compliance has successfully been added from the solution gallery, you’ll see this tile:
+
-1. [OS Update Overview](#os-update-overview)
-2. [Overall Quality Update Status](#overall-quality-update-status)
-3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
-4. [Overall Feature Update Status](#overall-feature-update-status)
-5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
-6. [Windows Defender Antivirus Assessment](#wdav-assessment)
-7. [List of Queries](#list-of-queries)
+When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. If you haven’t read about assigning your Commercial ID to your devices, refer to [this topic](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
+
-## OS Update Overview
+The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was updated.
-The first blade of OMS Update Compliance is the General **OS Update Overview** blade:
+## The Update Compliance Workspace
-
+
+Upon clicking the tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview Blade providing a hub from which to navigate to different reports of your device’s data.
+### Overview Blade
-This blade is divided into three sections:
-- Device Summary:
-- Needs Attention Summary
-- Update Status Summary
+
-The **Device Summary** displays the total number of devices in your organization. These devices have the commercial ID configured, telemetry enabled, and have sent telemetry to Microsoft within the last 28 days. The tile also shows the devices that Need Attention.
+Update Compliance’s overview blade provides a summarization of all the data Update Compliance focuses on. It functions as a hub from which different sections can be navigated to. The total number of devices detected by Update Compliance are counted within the title of this blade. What follows is a distribution for all devices as to whether they are up to date on:
+* Quality updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
+* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
+* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus.
+The blade also provides the time at which your Update Compliance workspace was refreshed.
-The **Needs Attention Summary** summarizes devices that require action on your part. There are multiple reasons why a device might need attention, and these reasons are categorized and summarized in the tile. You can view details about devices that are categorized as Needs Attention using a table view. The following **Needs Attention** states are defined:
+Below the “Last Updated” time, a list of the different sections follows that can be clicked on to view more information, they are:
+* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It counts the number of devices encountering issues and need attention; clicking into this provides blades that summarize the different issues that devices are encountering, and provides a List of Queries that Microsoft finds useful.
+* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Clicking into this section provides blades that summarize the overall status of Quality updates across all devices; including deployment.
+* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Clicking into this section provides blades that summarize the overall feature update status across all devices, with an emphasis on deployment progress.
+* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Clicking into this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus.
+Use [Perspectives](update-compliance-perspectives.md) for data views that provide deeper insight into your data.
-
-
Needs Attention
Definition
-
Out of Support
Total number of devices that are no longer receiving servicing updates
-
Update failed
When a device has reported a failure at some stage in its update deployment process, it will report that the Update Failed. You can click on this to see the full set of devices with more details about the stage at which a failure was reported, when the device reported a failure, and other data.
-
Missing 2+ Security Updates
Total number of devices that are missing two or more security updates
-
Update Progress Stalled
Total number of devices where an update installation has been “in progress” for more than 7 days
-
+## Utilizing Log Analytics
+Update Compliance is built upon the Log Analytics platform that is integrated into Operations Management Suite. All data within the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance.
-The **Update Status Summary** summarizes your organization's devices per the Windows 10 "Windows as a Service" (WaaS) model. For more information about WaaS, see [Overview of Windows as a service](waas-overview.md). Devices are categorized as: **Current**, **Up-to-date**, and **Not up-to-date**. See the following graphical representation of this model:
+See below for a few topics related to Log Analytics:
+* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
+* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards).
+* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to utilize it to always stay informed about the most critical issues you care about.
-
-
-
-
-Update Status Summary definitions:
-
-
-
-
Update Status
Definition
-
Current and Up-to-date
A device that is current is on the latest and greatest Microsoft offers. It is on the very newest feature update (ex. The Windows Anniversary Update, RS1), on the very latest quality update for its servicing branch.
-
Up-to-date
A device that is up-to-date is on the latest quality update for its servicing option (CB, CBB, LTSB), and the device is running an OS that is supported by Microsoft.
-
Not up-to-date
A device does not have the latest quality update for its servicing option.
-
-
-
-## Overall Quality Update Status
-
-**Overall Quality Update Status** is the second blade in Update Compliance. It has a donut data tile and lists the breakdown of the Up-to-date status of devices pivoted on OS version. See the following example:
-
-
-
-
-
-The donut tile offers a summary of all devices in your organization, divided into **Up-to-date** and **Not up-to-date**. Recall that devices that are current are also up-to-date.
-
-
-The list view contains the breakdown of Up-to-date, Not up-to-date, and Update failed, all pivoted on OS version (e.g., 1507, 1511, 1607). Clicking on any of the rows of this list view will display the **OS Quality Update Summary Perspective** for that OS version.
-
-
-## Latest and Previous Security Update Status
-
-Security updates are extremely important to your organization, so in addition to an overall view of Quality Updates, the deployment status for the latest two security updates are displayed for each supported OS build offered by Microsoft.
-
-
-
-
-
-For the latest security update, a doughnut chart is displayed across all OS builds with a count of installed, in progress/deferred, update failed, and unknown status relative to that update. Two table views are provided below the doughnut displaying the same breakdown for each OS build supported by Microsoft.
-
-See the following definitions:
-
-
-
-
Term
Definition
-
OS Build
The OS build + Revision for the OS Version. The build + revision is a one-to-one mapping of the given security update in this context.
-
Version
The OS Version corresponding to the OS build.
-
Installed
The count of devices that have the given security update installed. In the case that the latest security update is not latest quality update (that is, an update has since been released but it did not contain any security fixes), then devices that are on a newer update will also be counted.
-
For the previous security update, a device will display as **Installed** until it has at least installed the latest security update.
-
In Progress or Deferred
The count of devices that are either currently in the process of installing the given security update, or are deferring the install as per their WUFB policy.
-
All devices in this category for Previous Security Update Status are missing 2 or more security updates, and therefore qualify as needing attention.
-
Update Failed
The count of devices that were **In Progress** for the given security update, but failed at some point in the process. They will no longer be shown as **In Progress or deferred** in this case, and only be counted as **Update failed**.
-
Status Unknown
If a device should be, in some way, progressing toward this security update, but it’s status cannot be inferred, it will count as **Status Unknown**. Devices that are not using Windows Update are the most likely devices to fall into this category.
-
-
-
-## Overall Feature Update Status
-
-Windows 10 has two main update types: Quality and Feature updates. The third blade in Update Compliance provides the most essential data about your organization’s devices for feature updates.
-
-Microsoft has developed terms to help specify the state of a given device for how it fits into the Windows as a Service (WaaS) model. There are three update states for a device:
-- Current
-- Up-to-date
-- Not up-to-date
-
-
-See the **Update Status Summary** description under [OS Update Overview](#os-update-overview) in this guide for definitions of these terms.
-
-
-The Overall Feature Update Status blade focuses around whether or not your devices are considered Current. See the following example:
-
-
-
-
-
-Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.
-
-
-## Windows Defender Antivirus Assessment
-
-You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
-
-
-
->[!IMPORTANT]
->If your devices are not showing up in the Windows Defender AV assessment section, check the [Troublshoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help.
-
-The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
-
-If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
-
-There are two blades in the Windows Defender AV Assessment section:
-
-- Protection status
-- Threats status
-
-
-
-The **Protection Status** blade shows three key measurements:
-
-1. How many devices have old or current signatures (also known as protection updates or definitions)
-2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
-
-
-
-
-See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
-
-The **Threats Status** blade shows the following measurements:
-
-1. How many devices that have threats that have been remediated (removed or quarantined on the device)
-2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
-
-
-
-
-Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
-
-> [!IMPORTANT]
-> The data reported in Update Compliance can be delayed by up to 24 hours.
-
-See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
-
-As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below.
-
-
-### Investigate individual devices and threats
-
-
-Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
-
-
-
-You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
-
-
-
-
-
-
-
-
-
-
-You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
-
-
-
-
-
-Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
-
-
-
-
-You can also click the **. . .** button next to each label to instantly filter by that label or value.
-
-
-
-You can create your own queries by using a query string in the following format:
-
-```
-Type:
@@ -901,60 +899,60 @@ Download and run the media creation tool. See [Download windows 10](https://www.
### Other error codes
-
+
-
Error Codes
Cause
Mitigation
-
0x80070003- 0x20007
-
This is a failure during SafeOS phase driver installation.
+
Error Codes
Cause
Mitigation
+
0x80070003- 0x20007
+
This is a failure during SafeOS phase driver installation.
-
[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
-
-
0x8007025D - 0x2000C
-
This error occurs if the ISO file's metadata is corrupt.
"Re-download the ISO/Media and re-attempt the upgrade.
+
[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+
+
0x8007025D - 0x2000C
+
This error occurs if the ISO file's metadata is corrupt.
"Re-download the ISO/Media and re-attempt the upgrade.
Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10).
-
-
0x80070490 - 0x20007
An incompatible device driver is present.
+
+
0x80070490 - 0x20007
An incompatible device driver is present.
-
[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
+
[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](#analyze-log-files) to determine the problem driver.
-
-
0xC1900101 - 0x2000c
-
An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
-
Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
-
Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.
-
0xC1900200 - 0x20008
+
+
0xC1900101 - 0x2000c
+
An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.
+
Run checkdisk to repair the file system. For more information, see the [quick fixes](#quick-fixes) section in this guide.
+ Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.
+
0xC1900200 - 0x20008
-
The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
+
The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
-
See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
+
See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements.
- Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
-
0x80070004 - 0x3000D
-
This is a problem with data migration during the first boot phase. There are multiple possible causes.
+ Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
+
0x80070004 - 0x3000D
+
This is a problem with data migration during the first boot phase. There are multiple possible causes.
-
[Analyze log files](#analyze-log-files) to determine the issue.
-
0xC1900101 - 0x4001E
-
Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
-
This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.
-
0x80070005 - 0x4000D
-
The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
-
[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.
-
0x80070004 - 0x50012
-
Windows Setup failed to open a file.
-
[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.
These errors indicate the computer does not have enough free space available to install the upgrade.
-
To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
+
[Analyze log files](#analyze-log-files) to determine the issue.
+
0xC1900101 - 0x4001E
+
Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
+
This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.
+
0x80070005 - 0x4000D
+
The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
+
[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.
+
0x80070004 - 0x50012
+
Windows Setup failed to open a file.
+
[Analyze log files](#analyze-log-files) to determine the data point that is reporting access problems.
These errors indicate the computer does not have enough free space available to install the upgrade.
+
To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
-
Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
-
+ Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
+
-
+
@@ -962,9 +960,9 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
## Related topics
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx)
- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+ [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
+ [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+ [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=resolve-windows-10-upgrade-errors.md).
\ No newline at end of file
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 68eea6f9a8..2073022a88 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -9,12 +9,12 @@ author: greg-lindsay
This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
-- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7 or Windows 8.1 using Internet Explorer.
+- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer.
- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
## Site discovery
-The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
+The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> [!NOTE]
> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
@@ -26,9 +26,9 @@ Ensure the following prerequisites are met before using site discovery:
1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
- For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
- For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
-2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 set **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
+2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
- If necessary, you can also enable data collection by creating the following registry entry.
+ If you do not plan to use the Upgrade Readiness deployment script to enable Site discovery, you must create the following registry entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index c3ef73e060..17224c6c74 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -73,7 +73,7 @@ The deployment script displays the following exit codes to let you know if it wa
-
Exit code and meaning
+
Exit code and meaning
Suggested fix
0 - Success
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index e98e9e3167..c1f05fe42e 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -11,6 +11,7 @@ author: greg-lindsay
---
# Windows 10 edition upgrade
+
**Applies to**
- Windows 10
@@ -18,22 +19,51 @@ author: greg-lindsay
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
-The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. Note that the reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
+ (X) = not supported
+ (green checkmark) = supported, reboot required
+ (blue checkmark) = supported, no reboot required
+
+
+
+| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
+|-----------------| ------------------------------------ | ---- ----------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
+| **Home > Pro** |  |  |  |  |  |  |
+| **Home > Pro for Workstations** |  |  |  |  |  |  |
+| **Home > Pro Education** |  |  |  |  |  |  |
+| **Home > Education** |  |  |  |  |  |  |
+| **S > Pro** |  (version 1709) |  (version 1709) |  |  |  (version 1709) |  (version 1709) |
+| **S > Pro for Workstations** |  (version 1709) |  (version 1709) |  |  |  (version 1709) |  (version 1709) |
+| **S > Pro Education** |  (version 1709) |  (version 1709) |  |  (version 1709 - MSfB) |  (version 1709) |  |
+| **S > Education** |  |  |  |  (MSfB) |  |  |
+| **S > Enterprise** |  (version 1709) |  (version 1709) |  |  (version 1703 - PC), (version 1709 - MSfB) |  (version 1709) |  |
+| **Pro > Pro for Workstations** |  |  |  |  (MSfB) |  |  |
+| **Pro > Pro Education** |  |  |  |  (MSfB) |  |  |
+| **Pro > Education** |  |  |  | ) (MSfB) |  |  |
+| **Pro > Enterprise** |  |  |  |  (version 1703 - PC), (version 1709 - MSfB) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  |  (MSfB) |  |  |
+| **Pro for Workstations > Education** |  |  |  | ) (MSfB) |  |  |
+| **Pro for Workstations > Enterprise** |  |  |  |  (version 1703 - PC), (version 1709 - MSfB) |  |  |
+| **Pro Education > Education** |  |  |  | ) (MSfB) |  |  |
+| **Enterprise > Education** |  |  |  | ) (MSfB) |  |  |
+| **Mobile > Mobile Enterprise** |  | |  |  |  |  |
+
+> [!NOTE]
+> Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
->**Note**: Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
## Upgrade using mobile device management (MDM)
- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907).
@@ -70,10 +100,10 @@ If you are upgrading only a few devices, you may want to enter a product key for
4. Follow the on-screen instructions.
-## Upgrade by purchasing a license from the Windows Store
-If you do not have a product key, you can upgrade your edition of Windows 10 through the Windows Store.
+## Upgrade by purchasing a license from the Microsoft Store
+If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
-**To upgrade through the Windows Store**
+**To upgrade through the Microsoft Store**
1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut.
@@ -81,6 +111,6 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th
3. Follow the on-screen instructions.
- **Note** If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Windows Store, click [here](ms-windows-store://windowsupgrade/).
+ **Note** If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 8dd86431f4..ea708741a6 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -32,7 +32,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
Windows 10 Home
Windows 10 Pro
-
Windows 10 Pro for Education
+
Windows 10 Pro Education
Windows 10 Education
Windows 10 Enterprise
Windows 10 Mobile
@@ -337,7 +337,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-upgrade-paths.md).
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 63c0c66725..121ae0c810 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -46,7 +46,7 @@ There are some scenarios in which the use of USMT is not recommended. These incl
## Related topics
- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=usmt-overview.md).
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 3960b898bb..28325dc349 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -138,4 +138,4 @@ For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KM
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=activate-using-key-management-service-vamt.md).
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 37335d3504..92299edb2e 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -75,6 +75,7 @@ Telephone activation is primarily used in situations where a computer is isolate
**Note**
A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
+Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
### Multiple activation key
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index 1549e2d687..8e1cb2f96a 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -39,7 +39,7 @@ Windows AutoPilot allows you to:
### Prerequisites
* [Devices must be registered to the organization](#registering-devices-to-your-organization)
-* Devices have to be pre-installed with Windows 10, version 1703 or later
+* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
* Microsoft Intune or other MDM services to manage your devices
@@ -80,6 +80,7 @@ Options available for Windows 10, version 1703:
* Skipping Work or Home usage selection (*Automatic*)
* Skipping OEM registration, OneDrive and Cortana (*Automatic*)
* Skipping privacy settings
+* Skipping EULA (*staring with Windows 10, version 1709*)
* Preventing the account used to set-up the device from getting local administrator permissions
We are working to add additional options to further personalize and streamline the setup experience in future releases.
@@ -101,4 +102,4 @@ In order for your devices to be auto-enrolled into MDM management, MDM auto-enro
>[!NOTE]
>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-auto-pilot.md).
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 16998068fa..0ece1c70e2 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -133,4 +133,4 @@ The deployment process for the replace scenario is as follows:
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-deployment-scenarios.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index a801374cb3..7401e4d251 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -22,4 +22,4 @@ Learn about the tools available to deploy Windows 10.
|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-deployment-tools.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index 9f6b5c02a8..012f8fe68e 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
-ms.date: 08/23/2017
+ms.date: 10/18/2017
author: greg-lindsay
---
@@ -23,6 +23,7 @@ With Windows 10 version 1703 (also known as the Creator’s Update), both Window
Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
See the following topics in this article:
+- [The evolution of Windows 10 deployment](#the-evolution-of-deployment):
- [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
- [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
- [How it works](#how-it-works): A summary of the subscription-based licensing option.
@@ -30,12 +31,27 @@ See the following topics in this article:
For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+## The evolution of deployment
+
+>The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
+
+The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
+
+
+
+- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
+- **Windows 10 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+- **Windows 10 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+- **Windows 10 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+- **Windows 10 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+
## Requirements
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
-- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded
-- Azure Active Directory (Azure AD) available for identity management
+- Windows 10 (Pro or Enterprise) version 1703 or later installed and **activated** on the devices to be upgraded.
+- Azure Active Directory (Azure AD) available for identity management.
- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
@@ -62,6 +78,24 @@ When a licensed user signs in to a device that meets requirements using the Azur
Devices currently running Windows 10 Pro, version 1703 can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+### Scenarios
+
+**Scenario #1**: Using KMS for activation, just purchased Windows 10 Enterprise E3 or E5 subscriptions (or for some reason have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise), and you are using Windows 10 1607 or above.
+
+All you need to do to change all of your Windows 10 Pro devices to Windows 10 Enterprise is to run this command on each computer:
+
+
+
+This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide. The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
+
+**Scenario #2**: Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+
+In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
+
+If you’re running Windows 7, it can be more work. A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step. This method also works if you are running Windows 8.1 Pro.
+
### Licenses
The following policies apply to acquisition and renewal of licenses on devices:
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index f7f79e2f18..8c3ca200ef 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt
ms.localizationpriority: high
-ms.date: 08/23/2017
+ms.date: 10/10/2017
author: greg-lindsay
---
@@ -37,18 +37,20 @@ This guide provides instructions to install and configure the Microsoft Deployme
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
-
-
Topic
Description
Time
+
+
Topic
Description
Time
-
[About MDT](#about-mdt)
A high-level overview of the Microsoft Deployment Toolkit (MDT).
Informational
-
[Install MDT](#install-mdt)
Download and install MDT.
40 minutes
-
[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)
A reference image is created to serve as the template for deploying new images.
90 minutes
-
[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)
The reference image is deployed in the PoC environment.
60 minutes
-
[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)
Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.
60 minutes
-
[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)
Back up an existing client computer, then restore this backup to a new computer.
60 minutes
-
[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)
Log locations and troubleshooting hints.
Informational
+
[About MDT](#about-mdt)
A high-level overview of the Microsoft Deployment Toolkit (MDT).
Informational
+
[Install MDT](#install-mdt)
Download and install MDT.
40 minutes
+
[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)
A reference image is created to serve as the template for deploying new images.
90 minutes
+
[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)
The reference image is deployed in the PoC environment.
60 minutes
+
[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)
Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.
60 minutes
+
[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)
Back up an existing client computer, then restore this backup to a new computer.
60 minutes
+
[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)
Log locations and troubleshooting hints.
Informational
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index dc842b3f38..0d51134732 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
ms.localizationpriority: high
-ms.date: 08/23/2017
+ms.date: 10/10/2017
author: greg-lindsay
---
@@ -37,23 +37,25 @@ This guide provides end-to-end instructions to install and configure System Cent
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
-
-
Topic
Description
Time
+
+
Topic
Description
Time
-
[Install prerequisites](#install-prerequisites)
Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.
60 minutes
-
[Install System Center Configuration Manager](#install-system-center-configuration-manager)
Download System Center Configuration Manager, configure prerequisites, and install the package.
45 minutes
-
[Download MDOP and install DaRT](#download-mdop-and-install-dart)
Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.
15 minutes
-
[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)
Prerequisite procedures to support Zero Touch installation.
60 minutes
-
[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)
Use the MDT wizard to create the boot image in Configuration Manager.
20 minutes
-
[Create a Windows 10 reference image](#create-a-windows-10-reference-image)
This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.
0-60 minutes
-
[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)
Add a Windows 10 operating system image and distribute it.
10 minutes
[Create a task sequence](#create-a-task-sequence)
Create a Configuration Manager task sequence with MDT integration using the MDT wizard
15 minutes
-
[Finalize the operating system configuration](#finalize-the-operating-system-configuration)
Enable monitoring, configure rules, and distribute content.
30 minutes
-
[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)
Deploy Windows 10 using Configuration Manager deployment packages and task sequences.
60 minutes
-
[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)
Replace a client computer with Windows 10 using Configuration Manager.
90 minutes
-
[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)
Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT
90 minutes
+
[Install prerequisites](#install-prerequisites)
Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.
60 minutes
+
[Install System Center Configuration Manager](#install-system-center-configuration-manager)
Download System Center Configuration Manager, configure prerequisites, and install the package.
45 minutes
+
[Download MDOP and install DaRT](#download-mdop-and-install-dart)
Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.
15 minutes
+
[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)
Prerequisite procedures to support Zero Touch installation.
60 minutes
+
[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)
Use the MDT wizard to create the boot image in Configuration Manager.
20 minutes
+
[Create a Windows 10 reference image](#create-a-windows-10-reference-image)
This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.
0-60 minutes
+
[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)
Add a Windows 10 operating system image and distribute it.
10 minutes
[Create a task sequence](#create-a-task-sequence)
Create a Configuration Manager task sequence with MDT integration using the MDT wizard
15 minutes
+
[Finalize the operating system configuration](#finalize-the-operating-system-configuration)
Enable monitoring, configure rules, and distribute content.
30 minutes
+
[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)
Deploy Windows 10 using Configuration Manager deployment packages and task sequences.
60 minutes
+
[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)
Replace a client computer with Windows 10 using Configuration Manager.
90 minutes
+
[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)
Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT
90 minutes
-
+
@@ -417,12 +419,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
+ - Deployment share path: **C:\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
- Confirmation: click **Finish**
6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
@@ -432,18 +434,18 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
8. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
+ - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
- Summary: click **Next**
- Confirmation: click **Finish**
9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
+ - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
- Template: **Standard Client Task Sequence**
- Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- Specify Product Key: **Do not specify a product key at this time**
@@ -638,27 +640,27 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
-5. Configure the **Request State Store** action that was just added with the following settings:
- - Request state storage location to: **Restore state from another computer**
- - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **Apply** .
+5. Configure the **Request State Store** action that was just added with the following settings:
+ - Request state storage location to: **Restore state from another computer**
+ - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **Apply** .
6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
-7. Configure the **Release State Store** action that was just added with the following settings:
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **OK** .
+7. Configure the **Release State Store** action that was just added with the following settings:
+ - Options tab: Select the **Continue on error** checkbox.
+ - Add Condition: **Task Sequence Variable**:
+ - Variable: **USMTLOCAL**
+ - Condition: **not equals**
+ - Value: **True**
+ - Click **OK**.
+ - Click **OK** .
### Finalize the operating system configuration
@@ -668,12 +670,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
2. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTProduction**
- - Share name: **MDTProduction$**
- - Deployment share description: **MDT Production**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
+ - Deployment share path: **C:\MDTProduction**
+ - Share name: **MDTProduction$**
+ - Deployment share description: **MDT Production**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
- Confirmation: click **Finish**
3. Right-click the **MDT Production** deployment share, and click **Properties**.
@@ -724,10 +726,10 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
-3. On the Deployment Settings page, use the following settings:
- - Purpose: **Available**
- - Make available to the following: **Only media and PXE**
- - Click **Next**.
+3. On the Deployment Settings page, use the following settings:
+ - Purpose: **Available**
+ - Make available to the following: **Only media and PXE**
+ - Click **Next**.
4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
5. Click **Close**.
@@ -910,14 +912,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- - General > Name: **Install Windows 10 Enterprise x64**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM
+ - General > Name: **Install Windows 10 Enterprise x64**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM
- Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close)
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
@@ -925,14 +927,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
5. Use the following settings in the Deploy Sofware wizard:
- - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
- - Deployment Settings > Purpose: **Available**
- - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
- - Scheduling > Click **Next**
- - User Experience > Click **Next**
- - Alerts > Click **Next**
- - Distribution Points > Click **Next**
- - Summary > Click **Next**
+ - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**
+ - Deployment Settings > Purpose: **Available**
+ - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+ - Scheduling > Click **Next**
+ - User Experience > Click **Next**
+ - Alerts > Click **Next**
+ - Distribution Points > Click **Next**
+ - Summary > Click **Next**
- Verify that the wizard completed successfully and then click **Close**
@@ -970,14 +972,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- - General > Name: **USMT Backup (Replace)**
- - General > Limiting collection: **All Systems**
- - Membership Rules > Add Rule: **Direct Rule**
- - The **Create Direct Membership Rule Wizard** opens, click **Next**
- - Search for Resources > Resource class: **System Resource**
- - Search for Resources > Attribute name: **Name**
- - Search for Resources > Value: **%**
- - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
+ - General > Name: **USMT Backup (Replace)**
+ - General > Limiting collection: **All Systems**
+ - Membership Rules > Add Rule: **Direct Rule**
+ - The **Create Direct Membership Rule Wizard** opens, click **Next**
+ - Search for Resources > Resource class: **System Resource**
+ - Search for Resources > Attribute name: **Name**
+ - Search for Resources > Value: **%**
+ - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
- Click **Next** twice and then click **Close** in both windows.
3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed.
@@ -985,13 +987,13 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a new deployment
In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings:
-- General > Collection: **USMT Backup (Replace)**
-- Deployment Settings > Purpose: **Available**
-- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
-- Scheduling: Click **Next**
-- User Experience: Click **Next**
-- Alerts: Click **Next**
-- Distribution Points: Click **Next**
+- General > Collection: **USMT Backup (Replace)**
+- Deployment Settings > Purpose: **Available**
+- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Scheduling: Click **Next**
+- User Experience: Click **Next**
+- Alerts: Click **Next**
+- Distribution Points: Click **Next**
- Click **Next** and then click **Close**.
### Verify the backup
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 5a67eebb9e..b7d72b7783 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: high
-ms.date: 08/23/2017
+ms.date: 10/10/2017
author: greg-lindsay
---
@@ -42,25 +42,25 @@ After completing the instructions in this guide, you will have a PoC environment
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
+
+
-
-
Topic
Description
Time
-
-
[Hardware and software requirements](#hardware-and-software-requirements)
Prerequisites to complete this guide.
Informational
-
[Lab setup](#lab-setup)
A description and diagram of the PoC environment.
Informational
-
[Configure the PoC environment](#configure-the-poc-environment)
Parent topic for procedures.
Informational
-
[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
Verify that installation of Hyper-V is supported, and install the Hyper-V server role.
10 minutes
-
[Download VHD and ISO files](#download-vhd-and-iso-files)
Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.
30 minutes
-
[Convert PC to VM](#convert-pc-to-vm)
Convert a physical computer on your network to a VM hosted in Hyper-V.
30 minutes
-
[Resize VHD](#resize-vhd)
Increase the storage capacity for one of the Windows Server VMs.
5 minutes
-
[Configure Hyper-V](#configure-hyper-v)
Create virtual switches, determine available RAM for virtual machines, and add virtual machines.
15 minutes
-
[Configure service and user accounts](#configure-service-and-user-accounts)
Start virtual machines and configure all services and settings.
60 minutes
-
[Configure VMs](#configure-vms)
Start virtual machines and configure all services and settings.
60 minutes
-
[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)
Verify and troubleshoot network connectivity and services in the PoC environment.
30 minutes
-
[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)
Terms used in this guide.
Informational
-
-
+
+
Topic
Description
Time
+
[Hardware and software requirements](#hardware-and-software-requirements)
Prerequisites to complete this guide.
Informational
+
[Lab setup](#lab-setup)
A description and diagram of the PoC environment.
Informational
+
[Configure the PoC environment](#configure-the-poc-environment)
Parent topic for procedures.
Informational
+
[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
Verify that installation of Hyper-V is supported, and install the Hyper-V server role.
10 minutes
+
[Download VHD and ISO files](#download-vhd-and-iso-files)
Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.
30 minutes
+
[Convert PC to VM](#convert-pc-to-vm)
Convert a physical computer on your network to a VM hosted in Hyper-V.
30 minutes
+
[Resize VHD](#resize-vhd)
Increase the storage capacity for one of the Windows Server VMs.
5 minutes
+
[Configure Hyper-V](#configure-hyper-v)
Create virtual switches, determine available RAM for virtual machines, and add virtual machines.
15 minutes
+
[Configure service and user accounts](#configure-service-and-user-accounts)
Start virtual machines and configure all services and settings.
60 minutes
+
[Configure VMs](#configure-vms)
Start virtual machines and configure all services and settings.
60 minutes
+
[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)
Verify and troubleshoot network connectivity and services in the PoC environment.
30 minutes
+
[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)
Terms used in this guide.
Informational
+
## Hardware and software requirements
@@ -74,9 +74,9 @@ Harware requirements are displayed below:
-
+
-
+
**Computer 1** (required)
**Computer 2** (recommended)
@@ -230,7 +230,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
-
+
2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
@@ -262,7 +262,7 @@ w10-enterprise.iso
>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
-
+
If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
@@ -292,7 +292,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
-
+
Architecture
@@ -363,7 +363,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS
-
+
OS
Partition style
@@ -1073,18 +1073,18 @@ Use the following procedures to verify that the PoC environment is configured pr
-
-
Term
Definition
-
GPT
GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
-
Hyper-V
Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
-
Hyper-V host
The computer where Hyper-V is installed.
-
Hyper-V Manager
The user-interface console used to view and configure Hyper-V.
-
MBR
Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
-
Proof of concept (PoC)
Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
-
Shadow copy
A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
-
Virtual machine (VM)
A VM is a virtual computer with its own operating system, running on the Hyper-V host.
-
Virtual switch
A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
-
VM snapshot
A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
+
+
Term
Definition
+
GPT
GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
+
Hyper-V
Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
+
Hyper-V host
The computer where Hyper-V is installed.
+
Hyper-V Manager
The user-interface console used to view and configure Hyper-V.
+
MBR
Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
+
Proof of concept (PoC)
Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
+
Shadow copy
A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
+
Virtual machine (VM)
A VM is a virtual computer with its own operating system, running on the Hyper-V host.
+
Virtual switch
A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
+
VM snapshot
A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index 0ac76da289..5294ed490a 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -662,6 +662,8 @@
### [TPM recommendations](tpm/tpm-recommendations.md)
## [Windows security baselines](windows-security-baselines.md)
+### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+### [Get support](get-support-for-security-baselines.md)
## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/device-security/applocker/applocker-overview.md
index c79f90e6e1..aed33bd5c2 100644
--- a/windows/device-security/applocker/applocker-overview.md
+++ b/windows/device-security/applocker/applocker-overview.md
@@ -135,4 +135,4 @@ For reference in your security planning, the following table identifies the base
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=applocker-overview.md).
\ No newline at end of file
diff --git a/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 52784431c3..18f3f6fa64 100644
--- a/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -17,7 +17,7 @@ author: brianlic-msft
This topic explains the AppLocker rule collection for packaged app installers and packaged apps.
-Universal Windows apps can be installed through the Windows Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation.
+Universal Windows apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation.
Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule.
AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app:
diff --git a/windows/device-security/applocker/understand-applocker-policy-design-decisions.md b/windows/device-security/applocker/understand-applocker-policy-design-decisions.md
index b7b3d4f4c2..815d29dbd1 100644
--- a/windows/device-security/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/device-security/applocker/understand-applocker-policy-design-decisions.md
@@ -38,7 +38,7 @@ You might need to control a limited number of apps because they access sensitive
| - | - |
| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).|
| Control specific apps | When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).|
-|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps. For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.|
+|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps. For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.|
| Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.|
| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.|
|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.|
@@ -59,7 +59,7 @@ You might need to control a limited number of apps because they access sensitive
### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions
-AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Windows Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are:
+AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are:
- All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps.
- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes.
diff --git a/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md b/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
index ccd9afd831..5bbe801d60 100644
--- a/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
@@ -126,11 +126,12 @@ This following is a full list of BCD settings with friendly names which are igno
| 0x15000042 | all| keyringaddress|
| 0x15000047 | all| configaccesspolicy|
| 0x1500004b | all| integrityservices|
-| 0x1500004c|all| volumebandid|
+| 0x1500004c | all| volumebandid|
| 0x15000051 | all| initialconsoleinput|
| 0x15000052 | all| graphicsresolution|
| 0x15000065 | all| displaymessage|
-| 0x15000066| all| displaymessageoverride|
+| 0x15000066 | all| displaymessageoverride|
+| 0x15000081 | all| logcontrol|
| 0x16000009 | all| recoveryenabled|
| 0x1600000b | all| badmemoryaccess|
| 0x1600000f | all| traditionalkseg|
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index 98bc91bd6e..43c3ecbbd8 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -29,7 +29,7 @@ BitLocker is a data protection feature that encrypts the hard drives on your com
- [BitLocker Network Unlock](#bkmk-bnusect)
- [Other questions](#bkmk-other)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=bitlocker-frequently-asked-questions.md).
## Overview and requirements
diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
index 5853b5df22..5c3968f8f7 100644
--- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md
@@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
- only the TPM for authentication
- insertion of a USB flash drive containing the startup key
-- the entry of a 6-digit to 20-digit personal identification number (PIN)
+- the entry of a 4-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
@@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
Policy description
-
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.
+
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.
Introduced
@@ -347,14 +347,34 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
When disabled or not configured
-
Users can configure a startup PIN of any length between 6 and 20 digits.
+
Users can configure a startup PIN of any length between 4 and 20 digits.
**Reference**
-This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
+This policy setting is applied when you turn on BitLocker.
+The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
+This totals a maximum of about 4415 guesses per year.
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+
+Increasing the PIN length requires a greater number of guesses for an attacker.
+In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md
index 0e88e352bd..aab42b32d4 100644
--- a/windows/device-security/bitlocker/bitlocker-overview.md
+++ b/windows/device-security/bitlocker/bitlocker-overview.md
@@ -82,4 +82,4 @@ When installing the BitLocker optional component on a server you will also need
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=bitlocker-overview.md).
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index cb46edf710..f87ef6a78a 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,16 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
+## October 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [TPM fundamentals](tpm/tpm-fundamentals.md) [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
+| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. |
+| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. |
+| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions. |
+
+
+
## August 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
index 0e2e0995b9..198770fcb7 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -28,7 +28,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
1. Be sure that a code integrity policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
- Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
+ Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a reference computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-reference-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
> **Note** This process should **not** be performed on a system with an enforced Windows Defender Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 8b11311fb6..cef4895ba6 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -16,19 +16,25 @@ author: brianlic-msft
For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-## Create a code integrity policy from a golden computer
+## Create a code integrity policy from a reference computer
-The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
+This section outlines the process to create a code integrity policy with Windows PowerShell.
+For this example, you must initiate variables to be used during the creation process or use the full file paths in the command.
+Then create the code integrity policy by scanning the system for installed applications.
+The policy file is converted to binary format when it gets created so that Windows can interpret it.
> [!Note]
-> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy.
+> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the code integrity policy.
### Scripting and applications
-Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
-You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
+Each installed software application should be validated as trustworthy before you create a policy.
+We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable.
+Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
+You can remove or disable such software on the reference computer.
+You can also fine-tune your control by [using Windows Defender Device Guard in combination with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
-Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies.
+Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard:
@@ -70,11 +76,17 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
>[!Note]
->This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+>This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
-Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Windows Defender Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions.
+Certain software applications may allow additional code to run by design.
+These types of applications should be blocked by your Windows Defender Device Guard policy.
+In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions.
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+Microsoft recommends that you install the latest security updates.
+The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies.
+These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+
+For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
@@ -94,9 +106,6 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
-
-
@@ -113,7 +122,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
+
@@ -123,43 +132,258 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -178,21 +402,21 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -219,14 +443,228 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -253,7 +691,7 @@ To create a code integrity policy, copy each of the following commands into an e
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
- > [!Notes]
+ > [!Note]
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
@@ -279,11 +717,11 @@ We recommend that every code integrity policy be run in audit mode before being
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
> [!Note]
-> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
+> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
**To audit a code integrity policy with local policy:**
-1. Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
+1. Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
@@ -297,7 +735,7 @@ When code integrity policies are run in audit mode, it allows administrators to
> [!Note]
- > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
+ > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
> - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
@@ -355,7 +793,7 @@ Use the following procedure after you have been running a computer with a code i
You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
> [!Note]
-> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
+> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
## Use a code integrity policy to control specific plug-ins, add-ins, and modules
@@ -385,7 +823,7 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
## Merge code integrity policies
-When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
+When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from reference computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
> [!Note]
> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
@@ -435,7 +873,7 @@ Every code integrity policy is created with audit mode enabled. After you have s
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
> [!Note]
- > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+ > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@@ -464,20 +902,22 @@ Now that this policy is in enforced mode, you can deploy it to your test compute
## Signing code integrity policies with SignTool.exe
-Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, we recommend that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
+Signed code integrity policies give organizations the highest level of malware protection available in Windows 10.
+In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer.
+These policies are designed to prevent administrative tampering and kernel mode exploit access.
+With this in mind, it is much more difficult to remove signed code integrity policies.
+Before you sign and deploy a signed code integrity policy, we recommend that you [audit the policy](#audit-code-integrity-policies) to discover any blocked applications that should be allowed to run.
-Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA.
+Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
+If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA.
Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules."
-> [!Note]
-> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
-
To sign a code integrity policy with SignTool.exe, you need the following components:
- SignTool.exe, found in the Windows SDK (Windows 7 or later)
-- The binary format of the code integrity policy that you generated in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section or another code integrity policy that you have created
+- The binary format of the code integrity policy that you generated in the [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer) section or another code integrity policy that you have created
- An internal CA code signing certificate or a purchased code signing certificate
@@ -492,7 +932,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> [!Note]
- > This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+ > This example uses the code integrity policy that you created in the [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
@@ -594,7 +1034,7 @@ There may be a time when signed code integrity policies cause a boot failure. Be
Code integrity policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> [!Note]
-> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
+> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer), earlier in this topic.
> [!Note]
> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
@@ -626,7 +1066,7 @@ To deploy and manage a code integrity policy with Group Policy:
In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
> [!Note]
- > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
+ > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
index dbd9304e45..de08418e65 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -16,7 +16,9 @@ author: brianlic-msft
As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md).
-If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
+If you have an internal CA, complete these steps to create a code signing certificate.
+Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
+ECDSA is not supported.
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index ec2f600b51..a2e6dd92f6 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -116,7 +116,7 @@ Catalog files can be very useful for unsigned LOB applications that cannot easil
To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
-- Using the Windows Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
+- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
@@ -124,7 +124,7 @@ To obtain signed applications or embed signatures in your in-house applications,
To use catalog signing, you can choose from the following options:
-- Use the Windows Defender Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
diff --git a/windows/device-security/get-support-for-security-baselines.md b/windows/device-security/get-support-for-security-baselines.md
new file mode 100644
index 0000000000..e8b7351c12
--- /dev/null
+++ b/windows/device-security/get-support-for-security-baselines.md
@@ -0,0 +1,97 @@
+---
+title: Get support
+description: This article, and the articles it links to, answers frequently asked question on how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: brianlic-msft
+ms.date: 10/17/2017
+---
+
+# Get Support
+
+**What is the Microsoft Security Compliance Manager (SCM)?**
+
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+
+More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
+
+**Where can I get an older version of a Windows baseline?**
+
+Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+
+- [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
+- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
+- [SCM Baseline Download Help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
+
+**What file formats are supported by the new SCT?**
+
+The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
+
+**Does SCT support Desired State Configuration (DSC) file format?**
+
+Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
+
+**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
+
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+
+**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+
+No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
+
+
+
+## Version Matrix
+
+**Client Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+
+
+**Server Versions**
+
+| Name | Build | Baseline Release Date | Security Tools |
+|---|---|---|---|
+|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+
+
+
+**Microsoft Products**
+
+| Name | Details | Security Tools |
+|---|---|---|
+Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCT 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+
+
+
+> [!NOTE]
+> Browser baselines are built-in to new OS versions starting with Windows 10
+
+## See also
+
+[Windows Security Baselines](windows-security-baselines.md)
diff --git a/windows/device-security/images/community.png b/windows/device-security/images/community.png
new file mode 100644
index 0000000000..8d99720c6e
Binary files /dev/null and b/windows/device-security/images/community.png differ
diff --git a/windows/device-security/images/get-support.png b/windows/device-security/images/get-support.png
new file mode 100644
index 0000000000..427ba670de
Binary files /dev/null and b/windows/device-security/images/get-support.png differ
diff --git a/windows/device-security/images/security-compliance-toolkit-1.png b/windows/device-security/images/security-compliance-toolkit-1.png
new file mode 100644
index 0000000000..270480af39
Binary files /dev/null and b/windows/device-security/images/security-compliance-toolkit-1.png differ
diff --git a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 337320eccf..006a0c4470 100644
--- a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -292,8 +292,8 @@ Device Guard policy into the UpdateSigner section.
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
-With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal
-Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed.
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal
+Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed.
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed.
diff --git a/windows/device-security/security-compliance-toolkit-10.md b/windows/device-security/security-compliance-toolkit-10.md
new file mode 100644
index 0000000000..714ccde1d8
--- /dev/null
+++ b/windows/device-security/security-compliance-toolkit-10.md
@@ -0,0 +1,57 @@
+---
+title: Microsoft Security Compliance Toolkit 1.0
+description: This article describes how to use the Security Compliance Toolkit in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: brianlic-msft
+ms.date: 10/17/2017
+---
+
+# Microsoft Security Compliance Toolkit 1.0
+
+## What is the Security Compliance Toolkit (SCT)?
+
+The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
+
+The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
+
+
+The Security Compliance Toolkit consists of:
+
+- Windows 10 Security Baselines
+ - Windows 10 Version 1709 (Fall Creators Update)
+ - Windows 10 Version 1703 (Creators Update)
+ - Windows 10 Version 1607 (Anniversary Update)
+ - Windows 10 Version 1511 (November Update)
+ - Windows 10 Version 1507
+
+- Windows Server Security Baselines
+ - Windows Server 2016
+ - Windows Server 2012 R2
+
+- Tools
+ - Policy Analyzer tool
+ - Local Group Policy Object (LGPO) tool
+
+
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions.
+
+## What is the Policy Analyzer tool?
+
+The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
+- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+- Highlight the differences between versions or sets of Group Policies
+- Compare GPOs against current local policy and local registry settings
+- Export results to a Microsoft Excel spreadsheet
+
+Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
+
+More information on the Policy Analyzer tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## What is the Local Group Policy Object (LGPO) tool?
+
+LGPO is a tool for transferring Group Policy directly between a host’s registry and a GPO backup file, bypassing the Domain Controller. This gives administrators a simple way to verify the effects of their Group Policy settings directly.
+Documentation for the LGPO tool can be found on the [Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
\ No newline at end of file
diff --git a/windows/device-security/tpm/tpm-fundamentals.md b/windows/device-security/tpm/tpm-fundamentals.md
index 525a5a312d..ee007150c7 100644
--- a/windows/device-security/tpm/tpm-fundamentals.md
+++ b/windows/device-security/tpm/tpm-fundamentals.md
@@ -97,10 +97,7 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
-> [!WARNING]
-> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
-
-For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
@@ -112,10 +109,28 @@ In some enterprise situations, the TPM owner authorization value is configured t
TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
-### Rationale behind the Windows 8.1 and Windows 8 defaults
+### Rationale behind the defaults
-Windows relies on the TPM 2.0 anti-hammering protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
-For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
+Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
+This totals a maximum of about 4415 guesses per year.
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+
+Increasing the PIN length requires a greater number of guesses for an attacker.
+In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
+
+### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
diff --git a/windows/device-security/windows-10-mobile-security-guide.md b/windows/device-security/windows-10-mobile-security-guide.md
index 207c463b85..48ce7f6de9 100644
--- a/windows/device-security/windows-10-mobile-security-guide.md
+++ b/windows/device-security/windows-10-mobile-security-guide.md
@@ -2,7 +2,7 @@
title: Windows 10 Mobile security guide (Windows 10)
description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
-keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store
+keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -183,7 +183,7 @@ The table below outlines how Windows 10 Mobile mitigates specific malware threat
An unauthorized app or malware attempts to start on the device.
-
All Windows 10 Mobile apps must come from Windows Store or Windows Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.
+
All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.
User-level malware exploits a vulnerability in the system or an application and owns the device.
@@ -286,7 +286,7 @@ Because this solution can detect and prevent low-level malware that may be extre
Device Guard is a feature set that consists of both hardware and software system integrity–hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
-All apps on Windows 10 Mobile must be digitally signed and come from Windows Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Windows Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
+All apps on Windows 10 Mobile must be digitally signed and come from Microsoft Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Microsoft Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
@@ -339,10 +339,10 @@ A set of default permissions are granted to all AppContainers, including access
The AppContainer concept is advantageous because it provides:
- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
-- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Windows Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
+- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
-Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Windows Store displays the permissions that the app requires along with the app’s age rating and publisher.
+Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher.
The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md
new file mode 100644
index 0000000000..7a05bbf4e0
--- /dev/null
+++ b/windows/device-security/windows-security-baselines.md
@@ -0,0 +1,76 @@
+---
+title: Windows Security Baselines
+description: This article, and the articles it links to, describe how to use Windows Security Baselines in your organization
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.author: sagaudre
+author: brianlic-msft
+ms.date: 10/17/2017
+---
+
+# Windows Security Baselines
+
+**Applies to**
+
+- Windows 10
+- Windows Server (Semi-Annual Channel)
+- Windows Server 2016
+
+## Using security baselines in your organization
+
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
+
+Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
+
+We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.
+
+Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/).
+
+## What are security baselines?
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+
+## Why are security baselines needed?
+
+Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
+
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to Windows security settings to help mitigate these threats. To enable faster deployments and make managing Windows easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects backups.
+
+## How can you use security baselines?
+
+You can use security baselines to:
+- Ensure that user and device configuration settings are compliant with the baseline.
+- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+
+## Where can I get the security baselines?
+
+You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines.
+
+The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
+
+[](security-compliance-toolkit-10.md)
+[](get-support-for-security-baselines.md)
+
+## Community
+
+[](https://blogs.technet.microsoft.com/secguide/)
+
+## Related Videos
+
+You may also be interested in this msdn channel 9 video:
+- [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
+
+## See Also
+
+- [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
+- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
+- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
+- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 56c4ddc65a..e24c5d48f2 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,4 +1,5 @@
# [Windows 10 and Windows 10 Mobile](index.md)
+## [Get started](/windows/whats-new/get-started-with-1709)
## [What's new](/windows/whats-new)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 200db0cd98..27f20be8e9 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,19 +8,19 @@ author: brianlic-msft
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.date: 10/17/2017
---
# Windows 10 and Windows 10 Mobile
Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
-
-
+
-
+ What's New?
@@ -73,18 +73,14 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
## Get to know Windows as a Service (WaaS)
-
-
-
-
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+
+
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
- - Read more about Windows as a Service
-
-
-
-
+ - [Read more about Windows as a Service](/windows/deployment/update/waas-overview)
## Related topics
[Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 2ae59c5ff4..84c4ef2208 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -1,7 +1,24 @@
# [Threat protection](index.md)
-## [Windows Defender Security Center](windows-defender-security-center\windows-defender-security-center.md)
+
+
+## [The Windows Defender Security Center app](windows-defender-security-center\windows-defender-security-center.md)
+### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center\wdsc-customize-contact-information.md)
+### [Hide Windows Defender Security Center app notifications](windows-defender-security-center\wdsc-hide-notifications.md)
+### [Virus and threat protection](windows-defender-security-center\wdsc-virus-threat-protection.md)
+### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
+### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
+### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
+### [Family options](windows-defender-security-center\wdsc-family-options.md)
+
+
+
+
+
+
## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot onboarding and error messages](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
@@ -124,6 +141,7 @@
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
@@ -135,6 +153,7 @@
### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
@@ -235,16 +254,18 @@
###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
-### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
+### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
-#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
+#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
+#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)
+### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
-#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
-#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
+### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
+### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md)
### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md)
### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md)
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
index f89c5ecee5..18996780d2 100644
--- a/windows/threat-protection/change-history-for-threat-protection.md
+++ b/windows/threat-protection/change-history-for-threat-protection.md
@@ -11,6 +11,11 @@ author: brianlic-msft
# Change history for threat protection
This topic lists new and updated topics in the [Threat protection](index.md) documentation.
+## October 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.|
+
## June 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index ad126f35fa..a8f1dd39c7 100644
--- a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -205,11 +205,11 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti
### Universal Windows apps protections
-When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
-In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
+In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
### Windows heap protections
diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md
index 83a8c454ed..e602778817 100644
--- a/windows/threat-protection/secure-the-windows-10-boot-process.md
+++ b/windows/threat-protection/secure-the-windows-10-boot-process.md
@@ -17,7 +17,7 @@ ms.date: 06/23/2017
- Windows 10
- Windows 8.1
-The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Windows Store apps must meet a series of requirements to be certified and included in the Windows Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Windows Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Windows Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. The SmartScreen Filter warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
index 486f7992dd..5142227854 100644
--- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
+++ b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
@@ -650,4 +650,4 @@ You can get more info with the following links:
- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
- [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
\ No newline at end of file
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md).
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 5b30a1d8e3..4d97b468d3 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -34,7 +34,7 @@ ms.date: 08/25/2017
- Windows Defender Security Center app
-Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds.
+Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds.
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 92cb4eab33..43bd302fff 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -82,19 +82,7 @@ Hiding notifications can be useful in situations where you cannot hide the entir
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
-**Use Group Policy to display additional, custom text in notifications:**
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
-
-6. Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**.
-
-7. Enter the additional text you want to be shown to users. Click **OK**.
+See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus.md) topic for instructions to add cusomt contact information to the notifications that users see on their machines.
**Use Group Policy to hide notifications:**
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
new file mode 100644
index 0000000000..afa7a3d27d
--- /dev/null
+++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
@@ -0,0 +1,7 @@
+
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
new file mode 100644
index 0000000000..4dd10553c4
--- /dev/null
+++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
@@ -0,0 +1,7 @@
+
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
new file mode 100644
index 0000000000..b3bcfd6688
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
new file mode 100644
index 0000000000..8bfe45dd7b
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
new file mode 100644
index 0000000000..b555bb6110
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
new file mode 100644
index 0000000000..4351777c34
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
new file mode 100644
index 0000000000..bbd2d551d3
--- /dev/null
+++ b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -0,0 +1,72 @@
+---
+title: Enable the limited periodic scanning feature in Windows Defender AV
+description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers
+keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 10/02/2017
+---
+
+
+
+# Use limited periodic scanning in Windows Defender AV
+
+
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+
+
+Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
+
+It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
+
+
+## How to enable limited periodic scanning
+
+By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly.
+
+If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device:
+
+
+
+
+If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
+
+
+
+Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
+
+
+
+
+Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
+
+
+
+
+
+
+
+## Related topics
+
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 1d49a1e634..b2d2890d2b 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -15,7 +15,7 @@ ms.date: 09/07/2017
---
-# Windows Defender Antivirus and third party protection products
+# Windows Defender Antivirus compatibility
**Applies to:**
@@ -30,13 +30,11 @@ ms.date: 09/07/2017
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself.
+However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
-On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. See [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) topic for key differences and management options for Windows Server installations.
-
-The following matrix illustrates how Windows Defender AV operates when third-party antivirus products or Windows Defender ATP are also used.
+The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used.
Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state
-|-|-|-
@@ -44,12 +42,19 @@ Windows 10 | A third-party product that is not offered or developed by Microsoft
Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode
Windows 10 | Windows Defender AV | Yes | Active mode
Windows 10 | Windows Defender AV | No | Active mode
-Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode
-Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode
+Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)]
+Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)]
Windows Server 2016 | Windows Defender AV | Yes | Active mode
Windows Server 2016 | Windows Defender AV | No | Active mode
+(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine.
+
+See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations.
+
+
+
+
>[!IMPORTANT]
>Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
>
@@ -58,25 +63,28 @@ Windows Server 2016 | Windows Defender AV | No | Active mode
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/en-us/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+This table indicates the functionality and features that are available in each state:
+State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
+:-|:-|:-:|:-:|:-:|:-:|:-:
+Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-In the passive and automatic disabled modes, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
+Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
-The reasons for this are twofold:
-
-1. If you are enrolled in Windows Defender ATP, [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
-2. If the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, then Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint.
+Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
- Therefore, the Windows Defender AV service needs to update itself to ensure it has up-to-date protection coverage in case it needs to automatically enable itself.
+In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
- You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
- If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
+ If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
>[!WARNING]
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
>
>This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
+>
+>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md).
## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 77b79508b8..a28b49ec2c 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -61,7 +61,7 @@ By default, Windows Defender AV is installed and functional on Windows Server 20
If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
-
+
See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard.
@@ -87,6 +87,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI
You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard.
+This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/en-us/wdsi/help/antimalware-faq#multiple-products).
+
>[!NOTE]
>Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**.
@@ -144,8 +146,6 @@ By default, Windows Update does not download and install updates automatically o
To ensure that protection from malware is maintained, we recommend that you enable the following services:
-- Windows Defender Network Inspection service
-
- Windows Error Reporting service
- Windows Update service
@@ -155,9 +155,8 @@ The following table lists the services for Windows Defender and the dependent se
|Service Name|File Location|Description|
|--------|---------|--------|
|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
-|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
-|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.|
|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 495cc05eec..7f2ef6dac4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -38,7 +38,7 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
@@ -121,7 +121,7 @@ This section describes how to perform some of the most common tasks when reviewi
>[!NOTE]
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning.
+>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index 0018059252..17fb07bae5 100644
--- a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -13,7 +13,7 @@ ms.date: 08/11/2017
# Configure Windows Defender Application Guard policy settings
**Applies to:**
-- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+- Windows 10 Enterpise edition, version 1709
Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
@@ -41,5 +41,6 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
Enable Application Guard to print into the XPS format.
Enable Application Guard to print into the PDF format.
Enable Application Guard to print to locally attached printers.
Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note** If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. **To reset the container:**
Open a command-line program and navigate to Windows/System32.
Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
|
-|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+|Turn on Windows Defender Application Guard in Enterprise Mode|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+
diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index d5206df9fb..634876b5b8 100644
--- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -13,7 +13,7 @@ ms.date: 08/11/2017
# Frequently asked questions - Windows Defender Application Guard
**Applies to:**
-- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+- Windows 10 Enterpise edition, version 1709
Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 0504f9f546..fa29a5687b 100644
--- a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -13,12 +13,12 @@ ms.date: 08/11/2017
# Prepare and install Windows Defender Application Guard
**Applies to:**
-- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+- Windows 10 Enterprise edition, version 1709
## Prepare to install Windows Defender Application Guard
Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
-- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario.
+- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 15b33475fa..00798f619b 100644
--- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -13,26 +13,26 @@ ms.date: 08/11/2017
# System requirements for Windows Defender Application Guard
**Applies to:**
-- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+- Windows 10 Enterprise edition, version 1709
-The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
## Hardware requirements
-Your environment needs the following hardware to run Application Guard.
+Your environment needs the following hardware to run Windows Defender Application Guard.
|Hardware|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
-|Hardware memory|8 GB minimum, 16 GB recommended|
+|Hardware memory|Microsoft recommends 8GB RAM for optimal performance|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
## Software requirements
-Your environment needs the following hardware to run Application Guard.
+Your environment needs the following hardware to run Windows Defender Application Guard.
|Software|Description|
|--------|-----------|
-|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
+|Operating system|Windows 10 Enterprise edition, version 1709|
|Browser|Microsoft Edge and Internet Explorer|
|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
index b7cb312c08..1a42dc3b8b 100644
--- a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -13,7 +13,7 @@ ms.date: 08/11/2017
# Testing scenarios using Windows Defender Application Guard in your business or organization
**Applies to:**
-- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+- Windows 10 Enterpise edition, version 1709
We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
@@ -22,20 +22,18 @@ You can see how an employee would use standalone mode with Application Guard.
**To test Application Guard in Standalone mode**
-1. Download the latest Windows Insider Program build (15257 or later).
+1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
-2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
-
-3. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
-4. Wait for Application Guard to set up the isolated environment.
+3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
>Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
-5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
+4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
@@ -43,15 +41,13 @@ You can see how an employee would use standalone mode with Application Guard.
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
-1. Download the latest Windows Insider Program build (15257 or later).
+1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
-2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+2. Restart the device and then start Microsoft Edge.
-3. Restart the device and then start Microsoft Edge.
-
-4. Set up the Network Isolation settings in Group Policy:
+3. Set up the Network Isolation settings in Group Policy:
a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
@@ -67,22 +63,22 @@ Before you can use Application Guard in enterprise mode, you must install a vers
-5. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting.
+4. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
-6. Click **Enabled**.
+5. Click **Enabled**.
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
-7. Start Microsoft Edge and type _www.microsoft.com_.
+6. Start Microsoft Edge and type _www.microsoft.com_.
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
-8. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 465c993f93..df00907959 100644
--- a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -13,7 +13,7 @@ ms.date: 08/11/2017
# Windows Defender Application Guard overview
**Applies to:**
-- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+- Windows 10 Enterpise edition, version 1709
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 45139f43a5..18204f4978 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Turn on advanced features in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
@@ -52,6 +52,8 @@ This feature is only available if you have an active Office 365 E5 or the Threat
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
+To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
+
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 42299706d8..7fe267a6c1 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
@@ -74,6 +74,8 @@ Reviewing the various alerts and their severity can help you decide on the appro
**Detection source**
- Windows Defender AV
- Windows Defender ATP
+- Windows Defender SmartScreen
+- Others
>[!NOTE]
>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
@@ -92,7 +94,7 @@ Selecting an alert brings up the **Alert management** pane where you can manage
You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
- Change the status of an alert from new, to in progress, or resolved.
-- Specify the alert classification from true alert or false alert.
+- Specify the alert classification from true alert or false alert by selecting **In progress**.
Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
- APT
- Malware
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 764fe72b5d..909ae6a8eb 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Windows Defender ATP alert API fields
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 8c52c26e52..3f28c41ef8 100644
--- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Assign user access to the Windows Defender ATP portal
@@ -24,7 +24,7 @@ ms.date: 09/05/2017
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
@@ -83,7 +83,7 @@ For more information see, [Manage Azure AD group and role membership](https://te
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
-
+ 
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index b4cac17a7c..1ba183765a 100644
--- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Check sensor health state in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
@@ -32,8 +32,9 @@ The sensor health tile provides information on the individual endpoint’s abili
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
-- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
+
Clicking any of the groups directs you to Machines list, filtered according to your choice.
@@ -50,10 +51,11 @@ You can also download the entire list in CSV format using the **Export to CSV**
You can filter the health state list by the following status:
- **Active** - Machines that are actively reporting to the Windows Defender ATP service.
-- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
- **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
- **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
+
You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index c4c965309f..7fab21b8af 100644
--- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure HP ArcSight to pull Windows Defender ATP alerts
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 1c7f1bf825..adc3f256ef 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure email notifications in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index c0c4500c23..3df84f3009 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure endpoints using Group Policy
@@ -25,7 +25,7 @@ ms.date: 09/05/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
@@ -116,7 +116,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint management** on the **Navigation pane**.
+ a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 690593d58b..b9ebce1508 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure endpoints using Mobile Device Management tools
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
@@ -44,7 +44,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Select **Endpoint management** on the **Navigation pane**.
+ a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
@@ -98,6 +98,7 @@ You can use the following onboarding policies to deploy configuration settings o
- Health Status for onboarded machines
- Configuration for onboarded machines
+> [!div class="mx-tableFixed"]
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
@@ -182,7 +183,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint management** on the **Navigation pane**.
+ a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index dccdfe3ee5..c28b6b77f8 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure endpoints using System Center Configuration Manager
@@ -24,7 +24,7 @@ ms.date: 09/05/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- System Center 2012 Configuration Manager or later versions
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
@@ -48,7 +48,7 @@ You can use existing System Center Configuration Manager functionality to create
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint management** on the **Navigation pane**.
+ a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
@@ -120,7 +120,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint management** on the **Navigation pane**.
+ a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index c2d209b804..f6bd888c41 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure endpoints using a local script
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
@@ -35,7 +35,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
## Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Click **Endpoint management** on the **Navigation pane**.
+ a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Local Script**, click **Download package** and save the .zip file.
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
index 433ebdcd72..aa48ff798a 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure non-persistent virtual desktop infrastructure (VDI) machines
@@ -18,7 +18,7 @@ ms.date: 09/05/2017
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index 12896138c5..2e727a1895 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure Windows Defender ATP client endpoints
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 60d72976e0..d80ae65c71 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
@@ -24,7 +24,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index 343f4351d5..8e51bf936a 100644
--- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure Windows Defender ATP server endpoints
@@ -20,7 +20,7 @@ ms.date: 09/05/2017
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@@ -40,7 +40,7 @@ To onboard your servers to Windows Defender ATP, you’ll need to:
### Turn on Server monitoring from the Windows Defender Security Center portal
-1. In the navigation pane, select **Endpoint management** > **Server management**.
+1. In the navigation pane, select **Endpoint management** > **Servers**.
2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index a11b5b6701..657af8b344 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Pull alerts to your SIEM tools
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
@@ -57,8 +57,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 60e6cfaceb..d0700c0fa5 100644
--- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure Splunk to pull Windows Defender ATP alerts
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 5fafa61b0a..63ea798361 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Create custom alerts using the threat intelligence (TI) application program interface (API)
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
index 0c3dc01eda..34e01f4d78 100644
--- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# View the Windows Defender Advanced Threat Protection Security operations dashboard
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
@@ -43,7 +43,7 @@ From the **Security operations dashboard** you will see aggregated events to fac
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
-## ATP alerts
+## Active alerts
You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
@@ -54,6 +54,11 @@ For more information see, [Alerts overview](alerts-queue-windows-defender-advanc
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
+## Daily machines reporting
+The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
+
+
+
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
@@ -64,7 +69,7 @@ Click the name of the machine to see details about that machine. For more inform
You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
## Users at risk
-The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
+The tile shows you a list of user accounts with the most active alerts.
@@ -95,6 +100,8 @@ Clicking on any of these categories will navigate to the [Machines list](investi
> [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+
+
## Sensor health
The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
@@ -113,10 +120,7 @@ The **Service health** tile informs you if the service is active or if there are
For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md).
-## Daily machines reporting
-The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
-
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 6f7eed13ef..17f7fa36ee 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Windows Defender ATP data storage and privacy
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE]
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index 0f7c42f24e..e35be7bc63 100644
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Windows Defender compatibility
@@ -24,7 +24,7 @@ ms.date: 09/05/2017
- Windows Defender
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 4e98e3b3b4..1893d4aeea 100644
--- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Enable the custom threat intelligence API in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..9a6a327429
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,49 @@
+---
+title: Enable Security Analytics in Windows Defender ATP
+description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard.
+keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 10/17/2017
+---
+
+# Enable Security Analytics security controls
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
+
+ >[!NOTE]
+ >Changes might take up to a few hours to reflect on the dashboard.
+
+1. In the navigation pane, select **Preferences setup** > **Security Analytics**.
+
+ 
+
+2. Select the security control, then toggle the setting between **On** and **Off**.
+
+3. Click **Save preferences**.
+
+## Related topics
+- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index b34a43be0e..237d8c2a56 100644
--- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Enable SIEM integration in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
@@ -56,7 +56,7 @@ You can now proceed with configuring your SIEM solution or connecting to the ale
## Related topics
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index f23dc99857..1f4a5344b8 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
@@ -25,7 +25,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index 6085998914..b196a3f4fa 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Experiment with custom threat intelligence (TI) alerts
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
index 73a2c6b1c7..8ee8c7f559 100644
--- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Use the Windows Defender ATP exposed APIs
diff --git a/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
index cd1e27c74b..770e413442 100644
--- a/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Find machine information by interal IP
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 07eef0d4b5..2637d2528e 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Fix unhealthy sensors in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index 2a702cecc7..e096e90a23 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Update general Windows Defender ATP settings
@@ -22,7 +22,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
index b5745d86a0..9920dd76bc 100644
--- a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get actor information
diff --git a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
index d22c9702da..5789d02bfa 100644
--- a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get actor related alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
index 5a3baedc8a..b134792b71 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert information by ID
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
index 8727105bd0..298732bdd3 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert related actor information
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
index d22d6043a1..4aff86fc8e 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert related domain information
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
index 7020f3ddb1..0caa3eb0fa 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert related files information
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
index 83ff265f9a..f381d54582 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert related IP information
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
index 1051f8e032..5b7faaa789 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert related machine information
diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
index 008f657eb7..6676824c44 100644
--- a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alert related user information
diff --git a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
index 27cbaabe0a..8f77b172b9 100644
--- a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
index 4ade44c5d8..1d9c9340f2 100644
--- a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get domain related alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
index 630af76023..395a145017 100644
--- a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get domain related machines
diff --git a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
index 168ba45b95..d32758960c 100644
--- a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get domain statistics
diff --git a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
index bf5224ea2c..e8124fcdaa 100644
--- a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get file information
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
index 0bc15888fe..0055fa9420 100644
--- a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get file related alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
index 0dd8cbb37e..7eff513d50 100644
--- a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get file related machines
diff --git a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
index cf4bdfb5bb..7ea388e1a0 100644
--- a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get file statistics
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
index cc3eaf628c..e98f575d57 100644
--- a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get IP related alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
index 5a3164c261..69e883df58 100644
--- a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get IP related machines
diff --git a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
index 077f8220bb..a5f398316d 100644
--- a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get IP statistics
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
index eefe82c97b..68308e5936 100644
--- a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get machine by ID
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
index 837fece398..c973e3b688 100644
--- a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get machine log on users
diff --git a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
index 0afb16bf58..92fc5fc946 100644
--- a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get machine related alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
index 7674740001..c3006c0f0b 100644
--- a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get machines
diff --git a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
index cf588557dc..77b3f3d49b 100644
--- a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get user information
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
index 88cc381aaf..84eb273e6d 100644
--- a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get user related alerts
diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
index 46b715810b..3ac3929e17 100644
--- a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Get user related machines
diff --git a/windows/threat-protection/windows-defender-atp/images/active-threat-icon.png b/windows/threat-protection/windows-defender-atp/images/active-threat-icon.png
index d1bd6bfc81..3f99e1ae03 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/active-threat-icon.png and b/windows/threat-protection/windows-defender-atp/images/active-threat-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/alert-icon.png b/windows/threat-protection/windows-defender-atp/images/alert-icon.png
index 941d867586..99e91addff 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/alert-icon.png and b/windows/threat-protection/windows-defender-atp/images/alert-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
index 22be821960..6849bcd582 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png and b/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/analysis-results.png b/windows/threat-protection/windows-defender-atp/images/analysis-results.png
index 4d2afd09eb..7623d10e93 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/analysis-results.png and b/windows/threat-protection/windows-defender-atp/images/analysis-results.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png
new file mode 100644
index 0000000000..1c6bf1ab0e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png
new file mode 100644
index 0000000000..ed78852f15
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png
new file mode 100644
index 0000000000..ec079395b6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png
new file mode 100644
index 0000000000..01da17affc
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-File-path-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-File-path-icon.png
new file mode 100644
index 0000000000..c5f7f1df43
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-File-path-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png
new file mode 100644
index 0000000000..56db0095fa
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png b/windows/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png
new file mode 100644
index 0000000000..c4a23269f5
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png
new file mode 100644
index 0000000000..5d3ddf1b48
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png
new file mode 100644
index 0000000000..8b0b6c3550
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png
new file mode 100644
index 0000000000..68d6491ba3
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png
index 238b7e880b..d3f3d68920 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
index 33cb7862f6..cb4a38b529 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png
index 2f834e986c..a077b3eaef 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
index 4dfdc73f8c..b6ff98567a 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png
index bc0275c622..c19d6ac3ab 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
index 9745627e88..12537a9efb 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png
index 61ff260c38..d1c0c571f4 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
index 8cf482904e..e644d84f5c 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png
index 2b0253847e..811e554851 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png and b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png
index 31a49811ec..99a4f4137c 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png
index a222f09880..8687fd302e 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-create.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
index 7bb3ec3bb5..50f90d86d2 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png
new file mode 100644
index 0000000000..3bf8b08a0a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-azure-license-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png
index effefd5424..a4a07d3b92 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png
index ce3d0672a6..7cc6a7fb57 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png
index 5aa454b9c8..47161ff880 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png
index f62d84df10..697cee2833 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-billing-licenses.png b/windows/threat-protection/windows-defender-atp/images/atp-billing-licenses.png
new file mode 100644
index 0000000000..0a08e0c3d9
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-billing-licenses.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png b/windows/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png
new file mode 100644
index 0000000000..8951659d17
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-billing-subscriptions.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-command-line-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-command-line-icon.png
new file mode 100644
index 0000000000..58dfb84419
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-command-line-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png
index 5a04cb5fd5..0797d7527e 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png and b/windows/threat-protection/windows-defender-atp/images/atp-create-dashboard.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
index 614424a2ae..ab99d084ff 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png and b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
new file mode 100644
index 0000000000..4005404aff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png
new file mode 100644
index 0000000000..7b9454924e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-data-retention-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png
index 8166caf6ae..5c6fbe3a1f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png and b/windows/threat-protection/windows-defender-atp/images/atp-download-connector.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
new file mode 100644
index 0000000000..9d8ae5a5cd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png
new file mode 100644
index 0000000000..83d2afbcd8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-file-creation-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png
new file mode 100644
index 0000000000..943292f0e6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-file-observed-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png b/windows/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png
new file mode 100644
index 0000000000..bf39e4b81e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-final-onboard-endpoints-warning-before-atp-access.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png b/windows/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png
new file mode 100644
index 0000000000..9533a07777
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-final-preference-setup.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png b/windows/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png
new file mode 100644
index 0000000000..18e8861973
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-geographic-location-setup.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png
new file mode 100644
index 0000000000..0f5ef13a77
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-industry-information.png b/windows/threat-protection/windows-defender-atp/images/atp-industry-information.png
new file mode 100644
index 0000000000..e53106da3e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-industry-information.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png
index 87586e7bd2..16095237a4 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png and b/windows/threat-protection/windows-defender-atp/images/atp-intune-add-oma.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png
index a4f155428d..f28ceec416 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png and b/windows/threat-protection/windows-defender-atp/images/atp-intune-deploy-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png
index 345a260612..75da475049 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png and b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png
index 450cb83369..a6c5642c37 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png and b/windows/threat-protection/windows-defender-atp/images/atp-intune-manage-deployment.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png
index b45b2c5211..f8069cc4f7 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png and b/windows/threat-protection/windows-defender-atp/images/atp-intune-policy-name.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png
index b4adb7c064..d0276f1df5 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png and b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png
new file mode 100644
index 0000000000..3a93764966
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-licensing-azure-portal.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-logo-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-logo-icon.png
new file mode 100644
index 0000000000..627e9fec3c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-logo-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
index 3d9b39c0f9..674f388e5d 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-icon.png
new file mode 100644
index 0000000000..c08f0762d1
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index 0c7f50581f..1d0a60dc13 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
index c90cef7b32..80fc5d0f56 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png
index 51e693533e..752b6c0426 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png
index 7c10c6b14f..3c1c653dd1 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png
index 405fbaf384..9279e1eb89 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png and b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png
index 2681a11815..7c56b48153 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png and b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png
index e46a8edac4..8e5589a6ca 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png and b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
index b97c524a43..468deeecad 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png
new file mode 100644
index 0000000000..2fde8a3dcf
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-memory-allocation-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-module-load-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-module-load-icon.png
new file mode 100644
index 0000000000..6f8ce9d6fd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-module-load-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png
new file mode 100644
index 0000000000..ebe85a03a4
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-network-communications-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png b/windows/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png
new file mode 100644
index 0000000000..24b6aee777
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-no-subscriptions-found.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png
new file mode 100644
index 0000000000..020eeac764
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-not-authorized-to-access-portal.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
index bad96b9438..e3f49da272 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png and b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png
new file mode 100644
index 0000000000..8a88c16936
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal-border-test.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png
new file mode 100644
index 0000000000..83e81a51cd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png
new file mode 100644
index 0000000000..02cc1bbc0f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-run-detection-test.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png
new file mode 100644
index 0000000000..36d21b5ebe
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-onboard-endpoints.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
index 65dc93e72c..729042ed30 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-organization-size.png b/windows/threat-protection/windows-defender-atp/images/atp-organization-size.png
new file mode 100644
index 0000000000..e7e69034f0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-organization-size.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png b/windows/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png
new file mode 100644
index 0000000000..fda9bac914
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-portal-welcome-screen.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png
index 2061e53383..2c2c75ac33 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png and b/windows/threat-protection/windows-defender-atp/images/atp-powerbi-navigator.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png
new file mode 100644
index 0000000000..5caea7628f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-powershell-command-run-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png b/windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png
index bf67591f66..44c06d3b66 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png and b/windows/threat-protection/windows-defender-atp/images/atp-preferences-setup.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-preview-experience.png b/windows/threat-protection/windows-defender-atp/images/atp-preview-experience.png
new file mode 100644
index 0000000000..8055212471
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-preview-experience.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-process-event-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-process-event-icon.png
new file mode 100644
index 0000000000..ebcdefc909
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-process-event-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-process-injection.png b/windows/threat-protection/windows-defender-atp/images/atp-process-injection.png
new file mode 100644
index 0000000000..2d0f2b0f6a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-process-injection.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-process-tree.png b/windows/threat-protection/windows-defender-atp/images/atp-process-tree.png
new file mode 100644
index 0000000000..c77adca24c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-process-tree.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png
new file mode 100644
index 0000000000..29217a7235
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-registry-event-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png
new file mode 100644
index 0000000000..21c8a9e19d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-respond-action-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png
index 47cedd37ae..fa8cd7b575 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png and b/windows/threat-protection/windows-defender-atp/images/atp-save-tag.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png
new file mode 100644
index 0000000000..9cbf01f81a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-setup-complete.png b/windows/threat-protection/windows-defender-atp/images/atp-setup-complete.png
new file mode 100644
index 0000000000..8ca66b33cc
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-setup-complete.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png b/windows/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png
new file mode 100644
index 0000000000..554c69e2a6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-setup-incomplete.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png
new file mode 100644
index 0000000000..6b88b46227
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-setup-permissions-wdatp-portal.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png
index 0205980406..493b64b828 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-integration.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png
index 7aa79c89b8..7a8d78a19e 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
index 191941085d..4891cca8d7 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png
index ebc702179f..7d984e8eb0 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-signer-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-signer-icon.png
new file mode 100644
index 0000000000..1541aa0cf6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-signer-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
index e1d37a4f65..b2ae248d35 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-subscription-expired.png b/windows/threat-protection/windows-defender-atp/images/atp-subscription-expired.png
new file mode 100644
index 0000000000..7a6c15ebbb
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-subscription-expired.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png b/windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png
index ef6720b29e..3eece11ebd 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png and b/windows/threat-protection/windows-defender-atp/images/atp-threat-intel-api.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png
index d2c31bfab3..fa57139efc 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png and b/windows/threat-protection/windows-defender-atp/images/atp-thunderbolt-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png
new file mode 100644
index 0000000000..ffe25c2d28
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-unsigned-file-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png
index 1d852999b9..4a7a82d003 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png b/windows/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png
new file mode 100644
index 0000000000..990f12c3c8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-windows-cloud-instance-creation.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png b/windows/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png
new file mode 100644
index 0000000000..6344860c5e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-windows-defender-av-events-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/detection-icon.png b/windows/threat-protection/windows-defender-atp/images/detection-icon.png
index 12d2217cdf..3a2d9ce2d2 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/detection-icon.png and b/windows/threat-protection/windows-defender-atp/images/detection-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png b/windows/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png
new file mode 100644
index 0000000000..5e14e15378
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/licensing-windows-defender-advanced-threat-protection.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png b/windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png
index 7d99acf323..b4d0f75be0 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png and b/windows/threat-protection/windows-defender-atp/images/not-remediated-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/remediated-icon.png b/windows/threat-protection/windows-defender-atp/images/remediated-icon.png
index 89d0890c14..b58a35c61a 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/remediated-icon.png and b/windows/threat-protection/windows-defender-atp/images/remediated-icon.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/sccm-deployment.png b/windows/threat-protection/windows-defender-atp/images/sccm-deployment.png
index 99d9b858d8..6b25ca200c 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/sccm-deployment.png and b/windows/threat-protection/windows-defender-atp/images/sccm-deployment.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/submit-file.png b/windows/threat-protection/windows-defender-atp/images/submit-file.png
index 9240eccabf..309fd3074c 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/submit-file.png and b/windows/threat-protection/windows-defender-atp/images/submit-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index c743b8f2cb..804852f8a8 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Investigate Windows Defender Advanced Threat Protection alerts
@@ -19,11 +19,15 @@ ms.date: 09/05/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
-Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
+Investigate alerts that are affecting your network, what they mean, and how to resolve them.
+
+Click an alert to see the alert details view and the various tiles that provide information about the alert.
+
+You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index e7a73b2f71..e92155911a 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Investigate a domain associated with a Windows Defender ATP alert
@@ -22,24 +22,32 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+You can investigate a domain by using the search feature or by clicking on a domain link from the **Machine timeline**.
+
You can see information from the following sections in the URL view:
-- URL details
+- URL details, Contacts, Nameservers
+- Alerts related to this URL
- URL in organization
-- Prevalence in organization
-- Communication with URL from organization
+- Most recent observed machines with URL
-The URL address details section shows attributes of the URL such as its contacts and nameservers.
+## URL Worldwide
+The URL details, contacts, and nameservers sections display various attributes about the URL.
+## Alerts related to this URL
+The **Alerts related to this URL** section provides a list of alerts that are associated with the URL.
+
+## URL in organization
The **URL in organization** section provides details on the prevalence of the URL in the organization.
-The **Communication with URL in organization** section provides a chronological view on the events and associated alerts that were observed on the URL.
+## Most recent observed machinew with URL
+The **Most recent observed machinew with URL** section provides a chronological view on the events and associated alerts that were observed on the URL.
**Investigate a domain:**
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index e90acdfa3d..809e147a03 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Investigate a file associated with a Windows Defender ATP alert
@@ -22,12 +22,14 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
+You can investigate files by using the search feature, clicking on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or from an event listed in the **Machine timeline**.
+
You can get information from the following sections in the file view:
- File details, Malware detection, Prevalence worldwide
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index beae2f18fb..b2f993d4d2 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Investigate an IP address associated with a Windows Defender ATP alert
@@ -22,7 +22,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
@@ -32,15 +32,22 @@ Identifying all machines in the organization that communicated with a suspected
You can find information from the following sections in the IP address view:
-- IP address details
+- IP worldwide, Reverse DNS names
+- Alerts related to this IP
- IP in organization
-- Communication with IP from organization
+- Most recent observed machines with IP
-The IP address details section shows attributes of the IP address such as its ASN and its reverse IPs.
+## IP Worldwide and Reverse DNS names
+The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
+## Alerts related to this IP
+The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
+
+## IP in organization
The **IP in organization** section provides details on the prevalence of the IP address in the organization.
-The **Communication with IP in organization** section provides a chronological view on the events and associated alerts that were observed on the IP address.
+## Most recent observed machines with IP
+The **Most recent observed machines with IP** section provides a chronological view on the events and associated alerts that were observed on the IP address.
**Investigate an external IP:**
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index d9ae0d1c13..43552b2d21 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Investigate machines in the Windows Defender ATP Machines list
@@ -19,7 +19,7 @@ ms.date: 09/05/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
@@ -111,7 +111,7 @@ You can manage tags from the Actions button or by selecting a machine from the M
## Alerts related to this machine
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
-This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
+This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 1b36dc7c3c..a23a1b8c1c 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Investigate a user account in Windows Defender ATP
@@ -22,7 +22,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
index 5d32e4419b..f5d740c1f2 100644
--- a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Is domain seen in org
diff --git a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
index 9dfc6cd763..04d0ad5900 100644
--- a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Is IP seen in org
diff --git a/windows/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..02ed4731ee
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,136 @@
+---
+title: Validate licensing provisioning and complete Windows Defender ATP set up
+description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Windows Defender Advanced Threat Protection portal.
+keywords: license, licensing, account, set up, validating licensing, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-tanewt
+author: tbit0001
+ms.localizationpriority: high
+ms.date: 09/10/2017
+---
+# Validate licensing provisioning and complete set up for Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
+
+## Check license state
+
+Checking for the license state and whether it got properly provisioned, can be done through the **Office 365 admin center** or through the **Microsoft Azure portal**.
+
+ 1. In the **Office 365 admin center** navigate to **Billing** > **Subscriptions**.
+
+ - On the screen you will see all the provisioned licenses and their current **Status**.
+
+ 
+
+ 2. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+
+ 
+
+## Cloud Service Provider validation
+
+To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the **Office 365 admin center**.
+
+1. From the **Partner portal**, click on the **Administer services > Office 365**.
+
+2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer **Office 365 admin center**.
+
+ 
+
+## Access the Windows Defender ATP portal for the first time
+
+When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created.
+
+1. Each time you access the portal you will need to validate that you are authorized to access the product. Only if you are not authorized will This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
+
+ 
+
+ Once the authorization step is completed, the **Welcome** screen will be displayed.
+
+2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
+
+ 
+
+ You will need to set up your preferences for the Windows Defender ATP portal.
+
+3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in Europe or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
+
+ > [!WARNING]
+ > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
+
+ 
+
+4. Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
+
+ > [!NOTE]
+ > This option can be changed at a later time.
+
+ 
+
+5. You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
+
+ > [!NOTE]
+ > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
+
+ 
+
+6. The customer industry information is helpful in collecting data for the Windows Security Team, and while optional, would be useful if completed.
+
+ > [!NOTE]
+ > This option can be changed at a later time.
+
+ 
+
+7. Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
+
+ You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
+
+ - Toggle the setting between On and Off to choose **Preview features**.
+
+ > [!NOTE]
+ > This option can be changed at a later time.
+
+ 
+
+8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
+
+ > [!NOTE]
+ > Some of these options can be changed at a later time in the Windows Defender ATP portal.
+
+ 
+
+9. A dedicated cloud instance of the Windows Defender ATP portal is being created at this time. This step will take an average of 5 minutes to complete.
+
+ 
+
+10. You are almost done. Before you can start using Windows Defender ATP you'll need to:
+
+ - [Onboard endpoints and setup access](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
+
+ - Run detection test (optional)
+
+ 
+
+ > [!IMPORTANT]
+ > If you click **Start using Windows Defender ATP** before onboarding endpoints you will receive the following notification:
+ >
+
+11. After onboarding endpoints you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time.
+
+ 
+
+## Related topics
+- [Onboard and set up Windows Defender Advanced Threat Protection](onboard-configure-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot onboarding process and error messages](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 205494624b..68e00fed1d 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# View and organize the Windows Defender ATP Machines list
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 21c56a7475..713b6e43f7 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Manage Windows Defender Advanced Threat Protection alerts
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 6f4ca6d581..e389fe6cf4 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Minimum requirements for Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
There are some minimum requirements for onboarding your network and endpoints.
@@ -63,7 +63,7 @@ Endpoints on your network must be running one of these editions.
The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions.
> [!NOTE]
-> Endpoints that are running Windows Server and mobile versions of Windows are not supported.
+> Endpoints that are running mobile versions of Windows are not supported.
#### Internet connectivity
Internet connectivity on endpoints is required.
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 358f434974..68514478d8 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Onboard and set up Windows Defender Advanced Threat Protection
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index ac5a0f7173..138ed7ae40 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: DulceMV
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/19/2017
---
# Windows Defender Advanced Threat Protection portal overview
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
@@ -40,8 +40,8 @@ When you open the portal, you’ll see the main areas of the application:
- (1) Navigation pane
-- (2) Main portal Search
-- (3) Feedback, Settings, Help and support
+- (2) Main portal
+- (3) Search, Feedback, Settings, Help and support
> [!NOTE]
> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
@@ -50,28 +50,52 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** -Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
+(1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard.
**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, enable or turn off advanced features, and build Power BI reports.
-**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding.
-(3) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
+**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Security analytics dashboard.
+**Endpoint management** | Provides access to endpoints such as clients and servers. Allows you to download the onboarding configuration package for endpoints. It also provides access to endpoint offboarding.
+(2) Main portal| Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
+(3) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** - Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
## Windows Defender ATP icons
The following table provides information on the icons used all throughout the portal:
Icon | Description
:---|:---
-| Alert – Indication of an activity correlated with advanced attacks.
-| Detection – Indication of a malware threat detection.
-| Active threat – Threats actively executing at the time of detection.
-| Remediated – Threat removed from the machine
-| Not remediated – Threat not removed from the machine.
- | Indicates events that triggered an alert in the **Alert process tree**.
-
+| Windows Defender ATP logo
+| Alert – Indication of an activity correlated with advanced attacks.
+| Detection – Indication of a malware threat detection.
+| Active threat – Threats actively executing at the time of detection.
+| Remediated – Threat removed from the machine.
+| Not remediated – Threat not removed from the machine.
+| Indicates events that triggered an alert in the **Alert process tree**.
+| Machine icon
+| Windows Defender Antivirus events
+| Windows Defender Application Guard events
+| Windows Defender Device Guard events
+| Windows Defender Exploit Guard events
+| Windows Defender SmartScreen events
+| Windows Firewall events
+| Response action
+| Process events
+| Network events
+| File events
+| Registry events
+| Load DLL events
+| Other events
+| Access token modification
+| File creation
+| Signer
+| File path
+| Command line
+| Unsigned file
+| Process tree
+| Memory allocation
+| Process injection
+| Powershell command run
## Related topic
-[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
+[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index 705ff8da95..f025daa7f6 100644
--- a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Create and build Power BI reports using Windows Defender ATP data
@@ -21,7 +21,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index c1070db950..6f6ffb301b 100644
--- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# PowerShell code examples for the custom threat intelligence API
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
This article provides PowerShell code examples for using the custom threat intelligence API.
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index 504d423fd0..8da98842db 100644
--- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Configure Windows Defender ATP preferences settings
@@ -22,7 +22,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 1c08c4225a..6cb826c966 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Turn on the preview experience in Windows Defender ATP
@@ -22,13 +22,17 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Preferences setup** > **Preview experience**.
+
+ 
+
+
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Related topics
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 3dfbb8db03..c727d8143d 100644
--- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Windows Defender ATP preview features
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
@@ -42,33 +42,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Preview features
-The following features are included in the preview release:
-
-- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-You can now onboard VDI machines to the Windows Defender ATP service.
-
-- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP supports the onboarding of the following servers:
- - Windows Server 2012 R2
- - Windows Server 2016
-
-- [View the Windows Defender ATP Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
-
-- [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-You can lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-
-- [Run Windows Defender Antivirus scan on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
-
-- [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
-
-- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
-
-- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
- Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
+There are currently no preview features.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 8a7b308e76..3b35025ce9 100644
--- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Pull Windows Defender ATP alerts using REST API
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
@@ -196,7 +196,7 @@ HTTP error code | Description
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index 222900d1ef..0ca06b1365 100644
--- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Python code examples for the custom threat intelligence API
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
## Before you begin
You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 5f18a842a7..10734a86ca 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Take response actions on a file
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
@@ -77,7 +77,7 @@ In the machine timeline, a new event is added for each machine where a file was
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-### Remove file from quarantine
+## Remove file from quarantine
You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the endpoint:
@@ -136,7 +136,7 @@ When a file is being blocked on the endpoint, the following notification is disp
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
-### Remove file from blocked list
+## Remove file from blocked list
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
- **Alerts** - Click the file links from the Description or Details in the Artifact timeline
@@ -189,7 +189,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
- Search box - select **File** from the drop–down menu and enter the file name
2. In the **Deep analysis** section of the file view, click **Submit**.
-
+ 
>**Note** Only PE files are supported, including _.exe_ and _.dll_ files
@@ -202,10 +202,10 @@ A progress bar is displayed and provides information on the different stages of
View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
-You can view the comprehensive report that provides details on:
+You can view the comprehensive report that provides details on the following sections:
-– Observed behaviors
-– Associated artifacts
+- Behaviors
+- Observables
The details provided can help you investigate if there are indications of a potential attack.
@@ -213,9 +213,9 @@ The details provided can help you investigate if there are indications of a pote
1. Select the file you submitted for deep analysis.
2. Click **See the report below**. Information on the analysis is displayed.
-
+ 
-### Troubleshooting deep analysis
+### Troubleshoot deep analysis
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 0aa55c8947..ffd0412eb8 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Take response actions on a machine
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 095581b550..6f30bcb438 100644
--- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Take response actions in Windows Defender ATP
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responseactions-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
index fb13f00579..7eaf489912 100644
--- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: View the Security Analytics dashboard in Windows Defender ATP
description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
-keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
+keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# View the Windows Defender Advanced Threat Protection Security analytics dashboard
@@ -22,7 +22,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink)
@@ -33,37 +33,41 @@ The **Security analytics dashboard** displays a snapshot of:
- Organizational security score
- Security coverage
- Improvement opportunities
+- Security score over time
-
+
## Organizational security score
The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-
+
-Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
+Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
-In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile.
+In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile.
+
+You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
## Security coverage
-The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category.
+The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
-
+
## Improvement opportunities
Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
Click on each control to see the recommended optimizations.
-
+
The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
-Recommendations that do not display a green action are informational only and no action is required.
+>[!IMPORTANT]
+>Recommendations that do not display a green triangle icon are informational only and no action is required.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
@@ -71,9 +75,22 @@ The following image shows an example list of machines where the EDR sensor is no
-### Endpoint detection and response (EDR) optimization
-This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service.
+## Security score over time
+You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
+
+
+You can click on specific date points to see the total score for that security control is on a particular date.
+
+### Endpoint detection and response (EDR) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
+
+#### Minimum baseline configuration setting for EDR:
+- Windows Defender ATP sensor is on
+- Data collection is working correctly
+- Communication to Windows Defender ATP service is not impaired
+
+#### Minimum baseline configuration setting for EDR:
You can take the following actions to increase the overall security score of your organization:
- Turn on sensor
- Fix sensor data collection
@@ -81,9 +98,19 @@ You can take the following actions to increase the overall security score of you
For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
-### Windows Defender Antivirus optimization
-This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on.
+### Windows Defender Antivirus (Windows Defender AV) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
+#### Minimum baseline configuration setting for Windows Defender AV:
+Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met:
+
+- Windows Defender AV is reporting correctly
+- Windows Defender AV is turned on
+- Signature definitions are up to date
+- Real-time protection is on
+- Potentially Unwanted Application (PUA) protection is enabled
+
+##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
@@ -93,7 +120,6 @@ You can take the following actions to increase the overall security score of you
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
- Turn on antivirus
- Update antivirus definitions
-- Turn on cloud-based protection
- Turn on real-time protection
- Turn on PUA protection
@@ -105,14 +131,115 @@ This tile shows you the exact number of machines that require the latest securit
You can take the following actions to increase the overall security score of your organization:
- Install the latest security updates
+- Fix sensor data collection
+ - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
-For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+### Windows Defender Exploit Guard (Windows Defender EG) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
+
+#### Minimum baseline configuration setting for Windows Defender EG:
+Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met:
+
+- System level protection settings are configured correctly
+- Attack Surface Reduction rules are configured correctly
+- Controlled Folder Access setting is configured correctly
+
+##### System level protection:
+The following system level configuration settings must be set to **On or Force On**:
+
+1. Control Flow Guard
+2. Data Execution Prevention (DEP)
+3. Randomize memory allocations (Bottom-up ASLR)
+4. Validate exception chains (SEHOP)
+5. Validate heap integrity
+
+>[!NOTE]
+>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
+>Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+
+##### Attack Surface Reduction (ASR) rules:
+The following ASR rules must be configured to **Block mode**:
+
+Rule description | GUIDs
+-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+
+>[!NOTE]
+>The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
+>Consider enabling this rule in **Audit** or **Block mode** for better protection.
+
+
+##### Controlled Folder Access
+The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**.
+
+>[!NOTE]
+> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications.
+>Consider enabling Controlled Folder Access for better protection.
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Turn on all system-level Exploit Protection settings
+- Set all ASR rules to enabled or audit mode
+- Turn on Controlled Folder Access
+- Turn on Windows Defender Antivirus on compatible machines
+
+For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
+
+### Windows Defender Application Guard (Windows Defender AG) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
+
+#### Minimum baseline configuration setting for Windows Defender AG:
+Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met:
+
+- Hardware and software prerequisites are met
+- Windows Defender AG is turned on compatible machines
+- Managed mode is turned on
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Ensure hardware and software prerequisites are met
+
+ >[!NOTE]
+ >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
+
+- Turn on Windows Defender AG on compatible machines
+- Turn on managed mode
+
+
+For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+
+
+### Windows Defender SmartScreen optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
+
+#### Minimum baseline configuration setting for Windows Defender SmartScreen:
+The following settings must be configured with the following settings:
+- Check apps and files: **Warn** or **Block**
+- SmartScreen for Microsoft Edge: **Warn** or **Block**
+- SmartScreen for Microsoft store apps: **Warn** or **Off**
+
+
+You can take the following actions to increase the overall security score of your organization:
+- Set **Check app and files** to **Warn** or **Block**
+- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
+- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
+
+For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 64db7e6e2b..d378143d10 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Check the Windows Defender Advanced Threat Protection service health
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
@@ -57,4 +57,4 @@ When an issue is resolved, it gets recorded in the **Status history** tab.
The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
### Related topic
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index 51307867de..3a6898510d 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: DulceMV
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Windows Defender Advanced Threat Protection settings
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
index 04e81e2885..21a0c08e76 100644
--- a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Supported Windows Defender ATP APIs
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index 1a8543fe50..b314b0c51e 100644
--- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Understand threat intelligence concepts
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 109ede1a84..de19af3792 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Troubleshoot custom threat intelligence issues
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
You might need to troubleshoot issues while using the custom threat intelligence feature.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..88fd5b5c34
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,68 @@
+---
+title: Troubleshoot onboarding issues and error messages
+description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection.
+keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-tanewt
+author: tbit0001
+ms.localizationpriority: high
+ms.date: 09/10/2017
+---
+
+# Troubleshoot subscription and portal access issues
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
+
+
+This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
+
+If you receive an error message, the Windows Defender ATP portal will provide a detailed explanation on what the issue is and relevant links will be supplied.
+
+## No subscriptions found
+
+If while accessing the Windows Defender ATP portal you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
+
+Potential reasons:
+- The Windows E5 and Office E5 licenses are separate licenses.
+- The license was purchased but not provisioned to this AAD instance.
+ - It could be a license provisioning issue.
+ - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
+
+For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
+[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
+
+
+
+## Your subscription has expired
+
+If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date.
+
+You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the endpoint offboarding package, should you choose to not renew the license.
+
+> [!NOTE]
+> For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+
+
+## You are not authorized to access the portal
+
+If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
+For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
+
+
+
+## Related topics
+- [Validating licensing provisioning and completing setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 9fbbf9f078..6cadefb400 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
@@ -90,12 +90,13 @@ If none of the event logs and troubleshooting steps work, download the Local scr
**Microsoft Intune error codes and OMA-URIs**:
+
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:** Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
- | | | Onboarding Offboarding SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key.
- | | | SenseIsRunning OnboardingState OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
- | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional. Server is not supported.
+ | | | | Onboarding Offboarding SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
If it doesn't exist, open an elevated command and add the key.
+ | | | | SenseIsRunning OnboardingState OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ || | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional. Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index b8da894820..94458ed80b 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Troubleshoot SIEM tool integration issues
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
You might need to troubleshoot issues while pulling alerts in your SIEM tools.
@@ -54,7 +54,7 @@ If your client secret expires or if you've misplaced the copy provided when you
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index c0885c2510..b2616e4e94 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Troubleshoot Windows Defender Advanced Threat Protection
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index ae473cd899..43f09e0864 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Use the threat intelligence API to create custom alerts
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index a0f9d4ce21..f047ce5ac2 100644
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Use the Windows Defender Advanced Threat Protection portal
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 17124a8070..18063807da 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/17/2017
---
# Windows Defender Advanced Threat Protection
@@ -23,7 +23,7 @@ ms.date: 09/05/2017
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-[!include[Prerelease information](prerelease.md)]
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
>
@@ -98,6 +98,7 @@ Topic | Description
[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
[Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) | Learn about pulling alerts from the Windows Defender ATP portal using supported security information and events management (SIEM) tools.
[Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) | Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
+[Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) | Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities.
[Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) | Understand the security status of your organization, including the status of machines, alerts, and investigations using the Windows Defender ATP reporting feature that integrates with Power BI.
[Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service.
[Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index ca4ced3a04..a3bb50ab5b 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -64,10 +64,10 @@ Rule name | GUIDs
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Rule: Block executable content from email client and webmail
@@ -94,7 +94,7 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
-### Rule: Block Office applications from injecting into other processes
+### Rule: Block Office applications from injecting code into other processes
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
@@ -103,7 +103,7 @@ This is typically used by malware to run malicious code in an attempt to hide th
-### Rule: Impede JavaScript and VBScript to launch executables
+### Rule: Block JavaScript ok VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
@@ -119,7 +119,11 @@ This rule prevents scripts that appear to be obfuscated from running.
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
+### Rule: Block Win32 API calls from Office macro
+Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
+
+This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.
@@ -144,7 +148,7 @@ You can review the Windows event log to see events that are created when an Atta
2. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 2d4af77fb8..c63d4747c8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -19,9 +19,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 9faffd8366..973eae24a0 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -75,7 +75,7 @@ You can review the Windows event log to see events that are created when Control
3. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index a38b93a9db..e68c054cde 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -18,9 +18,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 03c00df6f6..2d64ed10c3 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -75,7 +75,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
4. Click **Add a protected folder** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to protect additional folders
@@ -107,7 +107,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
-
+
>[!IMPORTANT]
@@ -144,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
4. Click **Add an allowed app** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to whitelist specific apps
@@ -156,7 +156,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
+6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@@ -178,7 +178,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
-
+
>[!IMPORTANT]
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index c837adc81b..d268dc58b5 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -18,9 +18,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -51,30 +51,30 @@ It also describes how to enable or configure the mitigations using Windows Defen
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
+You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
-
+
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
-Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
+Mitigation | Description | Can be applied to | Audit mode available
- | - | - | -
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
@@ -127,7 +127,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
- 
+ 
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@@ -139,7 +139,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
Changing some settings may required a restart, which will be indicated in red text underneath the setting.
- 
+ 
4. Repeat this for all the system-level mitigations you want to configure.
@@ -154,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
- 
+ 
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
@@ -164,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
- 
+ 
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
- 
+ 
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 1ca6070748..640893025c 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview, build 16232 and later
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 7158a21778..e4853782de 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -20,9 +20,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -79,7 +79,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
- Disabled = 0
- Audit mode = 2
-
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 6935d74d73..4af5aacff1 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -60,7 +60,7 @@ For further details on how audit mode works, and when you might want to use it,
3. Set the switch for the feature to **On**
- 
+ 
### Use Group Policy to enable Controlled folder access
@@ -77,7 +77,7 @@ For further details on how audit mode works, and when you might want to use it,
- **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
- 
+ 
>[!IMPORTANT]
>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index 851c35b1af..a461a35961 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index 87afa2e97d..014071b7cf 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -20,9 +20,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 832df46955..a419fbe410 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -19,9 +19,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -57,7 +57,7 @@ This tool has a simple user interface that lets you choose a rule, configure it
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
-
+
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
@@ -99,7 +99,7 @@ Audit | The rule wil fire, but the suspicious behavior will **not** be blocked f
Block mode will cause a notification to appear on the user's desktop:
-
+
You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index c2483edae7..c664d02fce 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -19,9 +19,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -73,11 +73,11 @@ You can enable Controlled folder access, run the tool, and see what the experien
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
- 
+ 
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
- 
+ 
## Review Controlled folder access events in Windows Event Viewer
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 3e65984587..3d46ca1532 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -20,9 +20,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 1d47864477..e17117ec49 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -20,9 +20,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -64,7 +64,7 @@ You can also carry out the processes described in this topic in audit or disable
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
-
+
## Review Network protection events in Windows Event Viewer
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
index 014d2fef07..b22bf2e8e4 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 97a86e7fa9..292c45961e 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -21,9 +21,9 @@ ms.author: iawilt
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -47,7 +47,7 @@ You can also manually navigate to the event area that corresponds to the Windows
### Import an existing XML custom view
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
- Controlled folder access events custom view: *cfa-events.xml*
- Exploit protection events custom view: *ep-events.xml*
- Attack surface reduction events custom view: *asr-events.xml*
@@ -57,7 +57,7 @@ You can also manually navigate to the event area that corresponds to the Windows
3. On the left panel, under **Actions**, click **Import Custom View...**
- 
+ 
4. Navigate to where you extracted XML file for the custom view you want and select it.
@@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the Windows
3. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index f9095299df..eb09cca9c9 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -21,9 +21,9 @@ ms.date: 08/25/2017
**Applies to:**
-- Windows 10 Insider Preview
+- Windows 10, version 1709
+
-[!include[Prerelease information](prerelease.md)]
**Audience**
@@ -76,7 +76,7 @@ You can review the Windows event log to see events that are created when Exploit
3. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md
index afa7a3d27d..89a87afa8b 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md
@@ -1,4 +1,4 @@
-
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
+ ++
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index e02d2d3e65..3571ec64d7 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -168,4 +168,4 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
-Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=mandatory-user-profile.md).
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 947ffa3bac..623210a376 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -2,6 +2,7 @@
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
+### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 2737a54616..5ab0e0ff0b 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider.
+
