Merge remote-tracking branch 'refs/remotes/origin/master' into atp-feedback

2025-05-15 06:47:21 +00:00 · 2016-11-07 08:33:44 +11:00 · 2016-11-07 08:33:44 +11:00 · 0fa313a7dd
commit 0fa313a7dd
parent 492419287c 0945bb50bd
129 changed files with 896 additions and 481 deletions
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@ -20,8 +20,8 @@ Included examples:
 - [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
 - [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
 - [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-IP-address)
- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-IP-address-matches-the-specified-IP-address)
+- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
+- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
 - [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
 - [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)

--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@ -6,6 +6,7 @@ ms.prod: IE11
 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
 assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 ms.sitesec: library
+localizationpriority: low
 ---


--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@ -35,4 +35,5 @@
 #### [Using a room control system](use-room-control-system-with-surface-hub.md)
 ### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-### [Change history for Surface Hub](change-history-surface-hub.md)
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [Change history for Surface Hub](change-history-surface-hub.md)
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@ -14,6 +14,12 @@ localizationpriority: medium

 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).

+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | New |
+
 ## RELEASE: Windows Anniversary Update for Surface Hub (Windows 10, version 1607)
 The topics in this library have been updated for Windows 10, version 1607 (also known as Windows Anniversary Update for Surface Hub). These topics had significant updates for this release:
 - [Windows Updates (Surface Hub)](manage-windows-updates-for-surface-hub.md)
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@ -233,7 +233,7 @@ Surface Hub is compatible with a range of hardware. Choose the processor and mem

 ### Graphics adapter

-In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, though the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal, 60Hz video signals are also supported.
+In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal.

 **55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.

@ -295,7 +295,7 @@ Replacement PC ports on 55" Surface Hub.
 <tr class="odd">
 <td><p>PC video</p></td>
 <td><p>Video input</p></td>
-<td><p>DisplayPort 1.2</p></td>
+<td><p>DP 1.2</p></td>
 <td><ul>
 <li><p>Full screen display of 1080p at 120 Hz, plus audio</p></li>
 <li><p>HDCP compliant</p></li>
@ -352,7 +352,7 @@ Replacement PC ports on 84" Surface Hub.
 <tr class="odd">
 <td><p>PC video</p></td>
 <td><p>Video input</p></td>
-<td><p>DisplayPort 1.2 (2x)</p></td>
+<td><p>DP 1.2 (2x)</p></td>
 <td><ul>
 <li><p>Full screen display of 2160p at 120 Hz, plus audio</p></li>
 <li><p>HDCP compliant</p></li>
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@ -0,0 +1,169 @@
+---
+title: Differences between Surface Hub and Windows 10 Enterprise
+description: This topic explains the differences between Windows 10 Team and Windows 10 Enterprise.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: isaiahng
+localizationpriority: medium
+---
+
+# Differences between Surface Hub and Windows 10 Enterprise
+
+The Surface Hub operating system, Windows 10 Team, is based on Windows 10 Enterprise, providing rich support for enterprise management, security, and other features. However, there are important differences between them. While the Enterprise edition is designed for PCs, Windows 10 Team is designed from the ground up for large screens and meeting rooms. When you evaluate security and management requirements for Surface Hub, it's best to consider it as a new operating system. This article is designed to help highlight the key differences between Windows 10 Team on Surface Hub and Windows 10 Enterprise, and what the differences mean for your organization.
+
+## User interface
+
+### Shell (OS user interface)
+
+The Surface Hub's shell is designed from the ground up to be large screen and touch optimized. It doesn't use the same shell as Windows 10 Enterprise.
+
+*Organization policies that this may affect:* <br> Settings related to controls in the Windows 10 Enterprise shell don't apply for Surface Hub.
+
+### Lock screen and screensaver
+
+Surface Hub doesn't have a lock screen or a screen saver, but it has a similar feature called the welcome screen. The welcome screen shows scheduled meetings from the device account's calendar, and easy entry points to the Surface Hub's top apps - Skype for Business, Whiteboard, and Connect.
+
+*Organization policies that this may affect:* <br> Settings for lock screen, screen timeout, and screen saver don't apply for Surface Hub.
+
+### User logon
+
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
+
+> [!NOTE]
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. 
+
+*Organization policies that this may affect:* <br> Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
+
+### Saving and browsing files
+
+Users have access to a limited set of directories on the Surface Hub:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+
+*Organization policies that this may affect:* <br> Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
+
+## Applications
+
+### Default applications
+
+With few exceptions, the default Universal Windows Platform (UWP) apps on Surface Hub are also available on Windows 10 PCs.
+
+UWP apps pre-installed on Surface Hub:
+- Alarms & Clock
+- Calculator
+- Connect
+- Excel Mobile
+- Feedback Hub
+- File Explorer*
+- Get Started
+- Maps
+- Microsoft Edge
+- Microsoft Power BI
+- OneDrive
+- Photos
+- PowerPoint Mobile
+- Settings*
+- Skype for Business*
+- Store
+- Whiteboard*
+- Word Mobile
+
+*Apps with an asterisk (&ast;) are unique to Surface Hub*
+
+*Organization policies that this may affect:* <br> Use guidelines for Windows 10 Enterprise to determine the features and network requirements for default apps on the Surface Hub.
+
+### Installing apps, drivers, and services
+
+To help preserve the appliance-like nature of the device, Surface Hub only supports installing Universal Windows Platform (UWP) apps, and does not support installing classic Win32 apps, services and drivers. Furthermore, only admins have access to install UWP apps.
+
+*Organization policies that this may affect:* <br> Employees can only use the apps that have been installed by admins, helping mitigate against unintended use. Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools.
+
+## Security and lockdown
+
+For Surface Hub to be used in communal spaces, such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10.
+
+Surface Hub implements these Windows 10 security features:
+- [UEFI Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview)
+- [User Mode Code Integrity (UMCI) with Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)
+- [Application restriction policies using AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview)
+- [BitLocker Drive Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview)
+- [Trusted Platform Module (TPM)](https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview)
+- [Windows Defender](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10)
+- [User Account Control (UAC)](https://technet.microsoft.com/itpro/windows/keep-secure/user-account-control-overview) for access to the Settings app
+
+These Surface Hub features provide additional security:
+- Custom UEFI firmware
+- Custom shell and Start menu limits device to meeting functions
+- Custom File Explorer only grants access to files and folders under My Documents
+- Custom Settings app only allows admins to modify device settings
+- Downloading advanced Plug and Play drivers is disabled
+
+*Organization policies that this may affect:* <br> Consider these features when performing your security assessment for Surface Hub.
+
+## Management
+
+### Device settings
+
+Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not log in the admin.
+
+*Organization policies that this may affect:* <br> Employees can use the Surface Hub for meetings, but cannot modify any device settings. In addition to lockdown features, this ensures that employees only use the device for meeting functions.
+
+### Administrative features
+
+The administrative features in Windows 10 Enterprise, such as the Microsoft Management Console, Run, Command Prompt, PowerShell, registry editor, event viewer, and task manager are not supported on Surface Hub. The Settings app contains all of the administrative features locally available on Surface Hub.
+
+*Organization policies that this may affect:* <br> Surface Hubs are not managed like traditional PCs. Use MDM to configure settings and OMS to monitor your Surface Hub.
+
+### Remote management and monitoring
+
+Surface Hub supports remote management through mobile device management (MDM), and monitoring through Operations Management Suite (OMS).
+
+*Organization policies that this may affect:* <br> Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools, such as System Center Operations Manager.
+
+### Group policy
+
+Surface Hub does not support group policy, including auditing. Instead, use MDM to apply policies to your Surface Hub. For more information about MDM, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
+
+*Organization policies that this may affect:* <br> Use MDM to manage Surface Hub rather than group policy.
+
+### Remote assistance
+
+Surface Hub does not support remote assistance.
+
+*Organization policies that this may affect:* <br> Policies related to remote assistance don't apply for Surface Hub.
+
+## Network
+
+### Domain join and Azure Active Directory (Azure AD) join 
+
+Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't log in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
+
+*Organization policies that this may affect:* <br> Group policies are not applied when a Surface Hub is joined to your domain. Policies related to domain membership don't apply for Surface Hub.
+
+### Accessing domain resources
+
+Users can sign in to Microsoft Edge to access intranet sites and online resources (such as Office 365). If your Surface Hub is configured with a device account, the system uses it to access Exchange and Skype for Business. However, Surface Hub doesn't support accessing domain resources such as file shares and printers.
+
+*Organization policies that this may affect:* <br> Policies related to accessing domain objects don't apply for Surface Hub.
+
+<!--
+### Endpoints
+
+
+
+*Organization policies that this may affect:* <br> 
+-->
+
+### Telemetry
+
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+*Organization policies that this may affect:* <br> Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@ -425,7 +425,7 @@ This page will attempt to create a new admin account using the credentials that

 In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.

-1.  Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus).
+1.  Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#use-windows-server-update-services).
 2.  Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**.
 3.  If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
 4.  Follow the onscreen prompts after the updates are installed. You may need to restart the device.
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@ -12,7 +12,7 @@ localizationpriority: medium
 ---

 # Hybrid deployment (Surface Hub)
-A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
+A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#exchange-on-prem), and [Exchange hosted online](#exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)

 ## Exchange on-prem
 Use this procedure if you use Exchange on-prem.
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@ -34,5 +34,7 @@ Documents related to the Microsoft Surface Hub.
 <td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
 <td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
 </tr>
+<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr><tr>
+<td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
 </tbody>
 </table>
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@ -23,16 +23,17 @@ Surface Hub has been validated with Microsoft’s first-party MDM providers:
 You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol.

 ## <a href="" id="enroll-into-mdm"></a>Enroll a Surface Hub into MDM
-You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
+You can enroll your Surface Hubs using bulk or manual enrollment.

 > [!NOTE]
 > You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
-
-**To disable automatic enrollment for Microsoft Intune**
-1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. 
-2. Click the **Applications** tab, then click **Microsoft Intune**.
-3. Under **Manage devices for these users**, click **Groups**. 
-4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune. 5. Click the checkmark button, then click **Save**.
+>
+> **To disable automatic enrollment for Microsoft Intune**
+> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. 
+> 2. Click the **Applications** tab, then click **Microsoft Intune**.
+> 3. Under **Manage devices for these users**, click **Groups**. 
+> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. Do not include accounts that are used to enroll Surface Hubs into Intune. 
+> 5. Click the checkmark button, then click **Save**.

 ### Bulk enrollment
 **To configure bulk enrollment**
@ -41,8 +42,6 @@ You can enroll your Surface Hubs using automatic, bulk, or manual enrollment.
 - If you have an on-premises System Center Configuration Manager infrastructure, see [How to bulk enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx).

 ### Manual enrollment
-You can manually enroll with an MDM using the **Settings** app on your Surface Hub. 
-
 **To configure manual enrollment**
 1. From your Surface Hub, open **Settings**.
 2. Type the device admin credentials when prompted.
@ -52,11 +51,11 @@ You can manually enroll with an MDM using the **Settings** app on your Surface H

 ## Manage Surface Hub settings with MDM

-You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings)<!---, and some [Windows 10 settings](#supported-windows-10-settings)-->. Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.
+You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML.

 ### Supported Surface Hub CSP settings

-You can configure the Surface Hub settings in the following table using MDM. The table also tells if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+You can configure the Surface Hub settings in the following table using MDM. The table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.

 For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). 

@ -73,7 +72,94 @@ For more information, see [SurfaceHub configuration service provider](https://ms
 | Friendly name for wireless projection | Properties/FriendlyName | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
 | Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |

+### Supported Windows 10 settings

+In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/library/windows/hardware/dn920025.aspx). 
+
+The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
+
+#### Security settings
+| Setting  | Details  | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+
+#### Browser settings
+
+| Setting  | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Windows Update settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Windows Defender settings
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
+
+#### Remote reboot
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+
+#### Install certificates
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. |  [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. <br> See [Configure Intune certificate profiles](https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune-certificate-profiles). | Yes. <br> See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles). | Yes |
+<!--
+| Install client certificates  | Use to deploy Personal Information Exchange (.pfx, .p12) certificates. | [ClientCertificateInstall CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023.aspx) | Yes. <br> See [How to Create and Deploy PFX Certificate Profiles in Intune Standalone](https://blogs.technet.microsoft.com/karanrustagi/2016/03/16/want-to-push-a-certificate-to-device-but-cant-use-ndes-continue-reading/). | Yes. <br> See [How to create PFX certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-pfx-certificate-profiles). | Yes |
+-->
+
+#### Collect logs
+
+| Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML? |
+| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
+| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
+<!--
+| Collect security auditing logs | Use to remotely collect security auditing logs from Surface Hub. | SecurityAuditing node in [Reporting CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608321.aspx) | No | No | Yes |-->
+
+### Generate OMA URIs for settings 
+You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.
+
+**To generate the OMA URI for any setting in the CSP documentation**
+1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/<name of CSP>` <br>
+*For example, the root node of the [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) is `./Vendor/MSFT/SurfaceHub`.*
+2. Identify the node path for the setting you want to use. <br>
+*For example, the node path for the setting to enable wireless projection is `InBoxApps/WirelessProjection/Enabled`.*
+3. Append the node path to the root node to generate the OMA URI. <br>
+*For example, the OMA URI for the setting to enable wireless projection is `./Vendor/MSFT/SurfaceHub/InBoxApps/WirelessProjection/Enabled`.*
+
+The data type is also stated in the CSP documentation. The most common data types are:
+- char (String)
+- int (Integer)
+- bool (Boolean)

 ## Example: Manage Surface Hub settings with Micosoft Intune

--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@ -92,9 +92,9 @@ Once you've determined deployment rings for your Surface Hubs, configure update
 > If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).


-## Use Windows Server Update Services (WSUS)
+## Use Windows Server Update Services

-You can connect Surface Hub to your WSUS server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.

 **To manually connect a Surface Hub to a WSUS server:**
 1. Open **Settings** on your Surface Hub.
--- a/devices/surface-hub/surface-hub-administrators-guide.md
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@ -16,7 +16,7 @@ localizationpriority: medium

 This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.

-Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.

 ## In this section

--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@ -91,7 +91,7 @@ To download the required frameworks for the Surface app, follow these steps:

 ##Install Surface app on your computer with PowerShell
 The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
-1.	Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#how-to-download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
+1.	Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
 2.	Begin an elevated PowerShell session.
 >**Note:**&nbsp;&nbsp;If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app.
 3.	In the elevated PowerShell session, copy and paste the following command:
@ -119,7 +119,7 @@ Before the Surface app is functional on the computer where it has been provision

 ##Install Surface app with MDT
 The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
-1.	Using the procedure described [earlier in this article](#how-to-download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. 
+1.	Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file. 
 2.	Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
 3.	On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:

--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@ -5,6 +5,7 @@
 ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
 ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
 ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
 ## [Get Minecraft Education Edition](get-minecraft-for-education.md)
 ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
 ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@ -12,6 +12,14 @@ author: jdeckerMS

 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.

+## November 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)  | New. Learn about education scenarios for Windows Store for Business.  |
+| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md)  | Updates. Subscription support for Minecraft: Education Edition.  |
+| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md)  | Updates. Subscription support for Minecraft: Education Edition.  |
+
 ## September 2016

 | New or changed topic | Description|
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@ -728,7 +728,7 @@ To implement this method, perform the following steps:
   Put the student information in the format the bulk-import feature requires.
 2. Bulk-import the student information into Azure AD.

-   For more information about how to perform this step, see the [Bulk-import user and group accounts in Office 365](#bulk-import-user-and-group-accounts-in-office-365) section.
+   For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.

 #### Summary

--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@ -0,0 +1,180 @@
+---
+title: Education scenarios Windows Store for Business
+description: Learn how IT admins and teachers can use Windows Store for Business to acquire and manage apps in schools.
+keywords: ["school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: trudyha
+---
+
+# Working with Windows Store for Business – education scenarios
+
+Learn about education scenarios for Windows Store for Business. IT admins and teachers can use Windows Store for Business to find, acquire, distribute, and manage apps. 
+
+## Manage Windows Store for Business settings
+
+### Access to Windows Store for Business
+Applies to: IT admins
+
+By default, when a teacher with a work or school account acquires Minecraft: Education Edition,they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students. 
+
+However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page. 
+
+**To manage educator access to Windows Store for Business**
+1.  In Windows Store for Business, click **Settings**, and then click **Permissions**. 
+
+    ![Permission page for Windows Store for Business](images/minecraft-admin-permissions.png)
+
+2. Select, or clear **Allow educators in my organization to sign up for the Windows Store for Business**.
+
+### Windows Store for Business permissions
+Applies to: IT admins
+
+**Minecraft: Education Edition** adds a new role for teachers: **Basic Purchaser**. As an Admin, you can assign this role to teachers in your organization. When a teacher has been granted this role, they can:
+- View the Minecraft: Education Edition product description page 
+- Acquire and manage Minecraft: Education Edition, and other apps from Store for Business
+- Use info on Support page (including links to documentation and access to support through customer service)
+
+    ![assign roles to manage Minecraft permissions](images/minecraft-perms.png)
+
+**To assign Basic Purchaser role**
+
+1. Sign in to Store for Business </br>
+
+    > [!NOTE]
+    > You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
+    
+2. Click **Settings**, and then choose **Permissions**.
+
+    ![Permission page for Windows Store for Business](images/minecraft-admin-permissions.png)
+3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
+
+    ![Permission page for Windows Store for Business](images/minecraft-assign-roles.png)
+    
+    Windows Store for Business updates the list of people and permissions. 
+    
+    ![Permission page for Windows Store for Business](images/minecraft-assign-roles-2.png)
+
+### Private store
+
+Applies to: IT admins
+
+When you create you Windows Store for Business account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use. 
+
+These apps will automatically be in your private store:
+- Word mobile
+- Excel mobile
+- PowerPoint mobile
+- OneNote
+- Sway
+- Fresh Paint
+- Minecraft: Education Edition
+
+As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
+
+## Manage domain settings 
+
+Applies to: IT admins
+
+### Self-service sign up
+Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
+
+### Domain verification
+For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
+
+## Acquire apps
+Applies to: IT admins and teachers
+
+Find apps for your school using Windows Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
+ 
+**To acquire apps**
+- For info on how to acquire apps, see [Acquire apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#acquire-apps) 
+
+**To add a payment method**
+
+If you the app you purchase has a price, you’ll need to provide a payment method. 
+- Click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
+ 
+For more information on payment options, see [payment options](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#payment-options). 
+
+For more information on tax rates, see [tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). 
+
+### Get started with Minecraft: Education Edition
+Teachers and IT administrators can now get trials or subscriptions to Minecraft: Education Edition and add it to Windows Store for Business for distribution.
+- [Get started with Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/get-minecraft-for-education)
+- [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft)
+- [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft)
+
+
+## Manage WSfB inventory
+Applies to: IT admins and teachers
+
+### Manage purchases
+IT admins and teachers in educational settings can purchase apps from Windows Store for Business. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default. 
+
+While both groups can purchase apps, they can't manage purchases made by the other group. 
+
+Admins can:
+- Manage and distribute apps they purchased and apps that are purchased by other admins in the organization. 
+- View apps purchased by teachers.
+- View and manage apps on **Inventory**, under **Admin purchases**. 
+
+Teachers can:
+- Manage and distribute apps they purchased.
+- View and manage apps on **Inventory**, under **User purchases**. 
+
+> [!NOTE]
+> Teachers can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
+ 
+
+### Distribute apps
+
+Manage and distribute apps to students and others in your organization. Different options are avaialble for admins and teachers. 
+
+Applies to: IT admins
+
+**To manage and distribute apps**
+- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft#distribute_minecraft)
+- For info on how to manage and distribute other apps, see [App inventory management - Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business)
+
+Applies to: Teachers
+
+For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft#distribute-minecraft). 
+
+**To assign an app to a student**
+
+1. Sign in to the Store for Business.
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address, or name for the student that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+### Purchase additional licenses
+Applies to: IT admins and teachers
+
+You can manage current app licenses, or purchase more licenses for apps in your inventory. 
+
+**To purchase additional app licenses**
+1. From **Inventory**, click an app. 
+2. On the app page, click **View app details**. 
+3. From this page, click **Buy more** to purchase more licenses</br>
+-OR-</br>
+Click **Manage** to distribute or reclaim current licenses. 
+
+You'll have a summary of current license availability.  
+
+**Minecraft: Education Edition subscriptions**
+
+Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Windows Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses. 
+
+## Manage WSfB order history
+Applies to: IT admins and teachers
+
+You can manage your orders through Windows Store for Business. For info on order history and how to refund an order, see [Manage app orders in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/manage-orders-windows-store-for-business). 
+
+It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. 
+
+> [!NOTE]
+For **Minecraft: Education Edition**, you can request a refund through Windows Store for Business for two months from the purchase date. After two months, refunds require a support call. 
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerMS
 ---

-# Get Minecraft Education Edition
+# Get Minecraft: Education Edition

 **Applies to:**

@ -26,7 +26,7 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
 ## Prerequisites
 
 - **Minecraft: Education Edition** requires Windows 10.
- Early access to **Minecraft: Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
+- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
    - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
    * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
    * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
--- a/education/windows/images/mc-dnld-others-teacher.png
+++ b/education/windows/images/mc-dnld-others-teacher.png
--- a/education/windows/images/mc-install-for-me-teacher.png
+++ b/education/windows/images/mc-install-for-me-teacher.png
--- a/education/windows/images/minecraft-assign-to-people-name.png
+++ b/education/windows/images/minecraft-assign-to-people-name.png
--- a/education/windows/images/minecraft-get-the-app.png
+++ b/education/windows/images/minecraft-get-the-app.png
--- a/education/windows/images/minecraft-student-install-email.png
+++ b/education/windows/images/minecraft-student-install-email.png
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@ -8,13 +8,13 @@ ms.sitesec: library
 author: jdeckerMS
 ---

-# For IT administrators: get Minecraft: Education Edition
+# For IT administrators - get Minecraft: Education Edition

 **Applies to:**

 -   Windows 10  

-When you sign up for early access to [Minecraft: Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
+When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.

 > **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). 

@ -48,6 +48,8 @@ If you’ve been approved and are part of the Enrollment for Education Solutions

 Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).

+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+
 ### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing

 Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: 
@ -68,7 +70,7 @@ Admins can also add Minecraft: Education Edition to the private store. This allo

 Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Windows Store for Business. 

-![App distribution options - individual copies](images/mc-install-for-me-admin.png)
+![App distribution options - individual copies](images/mc-install-for-me-teacher.png)

 Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.

@ -78,24 +80,24 @@ Here's the page you'll see for Minecraft: Education Edition licenses purchased t
 You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.   

 1. Sign in to Windows Store for Business. 
-2. Click **Manage**, and then click **Install for me**.
+2. Click **Manage**, and then click **Install**.

-    ![Minecraft Education Edition product page](images/mc-install-for-me-admin.png)
+    ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)

 3. Click **Install**.  

 ### Assign to others
 Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app. 

+
 **To assign to others**
 1. Sign in to Windows Store for Business. 
 2. Click **Manage**.

-    ![Minecraft Education Edition product page](images/minecraft-assign-to-others.png)
-3. Click **Assign to people**.
+    ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
+3. Click **Invite people**.
 
-    ![Assign to people](images/minecraft-assign-to-people.png)
-4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. 

    You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.    
   
@ -150,7 +152,7 @@ You'll download a .zip file, extract the files, and then use one of the files to

 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.

-    ![Windows Store app showing access to My Library](images/mc-dnld-others-admin.png)
+    ![Windows Store app showing access to My Library](images/mc-dnld-others-teacher.png)
 
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
@ -159,9 +161,9 @@ You'll download a .zip file, extract the files, and then use one of the files to
 6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.


-## Manage Minecraft: Education Edition
+<!--- ## Manage Minecraft: Education Edition -->

-### Access to Windows Store for Business
+<!--- ### Access to Windows Store for Business
 By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students. 

 However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page. 
@ -173,7 +175,9 @@ To prevent educators from automatically signing up for Windows Store for Busines

 2. Click **Allow educators in my organization to sign up for the Windows Store for Business.**

-### Roles and permissions
+-->
+
+<!--- ### Roles and permissions
 Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**. When a teacher has been granted this role, they can:
 - View the Minecraft product description page 
 - Acquire and manage the app
@ -200,7 +204,9 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
    
    ![Permission page for Windows Store for Business](images/minecraft-assign-roles-2.png)

-## <a href="" id="private-store"></a>Private store
+-->
+
+<!--- ## <a href="" id="private-store"></a>Private store

 When you create you Windows Store for Business account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use. 

@ -213,14 +219,16 @@ These apps will automatically be in your private store:
 - Fresh Paint
 - Minecraft: Education Edition

-As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.  
+As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed. --> 

-<!-- ## Need more copies of Minecraft: Education Edition?
+<!--- ## Need more copies of Minecraft: Education Edition?
 You can purchase more licenses by working with your channel partner. Licenses are available at a lower rate than the price for individual copies that are available through Windows Store for Business. Individual copies are also available through Windows Store for Business. 

 If you’ve purchased a volume license, be sure to let other basic purchasers in your organization know about the volume license. That should help prevent unnecessary purchases of individual copies. -->

 ## Learn more
+[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md) </br>
+Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.  

 [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)

--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@ -25,11 +25,9 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
 - Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
 - Cortana is turned off.

-> **Tip!**
+> [!TIP]  
 > To exit **Take a Test**, press Ctrl+Alt+Delete. 

- 
-
 ## How you use Take a Test

 ![Use test account or test url in Take a Test](images/take-a-test-flow.png)
@ -47,7 +45,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
 1. Sign into the device with an administrator account.
 2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
 3. Select an existing account to use as the dedicated testing account.
-    >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+
+ > [!NOTE]  
+ > If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+ 
 4. Specify an assessment URL.  

 5. Click **Save**.
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerMS
 ---

-# For teachers: get Minecraft: Education Edition
+# For teachers - get Minecraft: Education Edition

 **Applies to:**

@ -38,6 +38,8 @@ Learn how teachers can get and distribute Minecraft: Education Edition.

    ![Get Minecraft app in Store](images/minecraft-get-the-app.png)
    
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+    
 ## Distribute Minecraft

 After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
@ -52,7 +54,7 @@ After Minecraft: Education Edition is added to your Windows Store for Business i
 You can install the app on your PC. This gives you a chance to work with the app before using it with your students.   

 1. Sign in to Windows Store for Business. 
-2. Click **Manage**, and then click **Install for me**.
+2. Click **Manage**, and then click **Install**.

    ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)

@ -65,18 +67,18 @@ Enter email addresses for your students, and each student will get an email with
 1. Sign in to Windows Store for Business. 
 2. Click **Manage**.

-    ![Minecraft Education Edition product page](images/mc-assign-to-others-teacher.png)
+    ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)

-3. Click **Assign to people**.
+3. Click **Invite people**.
    
-    ![Assign to people](images/minecraft-assign-to-people.png)
-    
-4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
-
-   You can only assign the app to students with work or school accounts. If you don't find the student, contact your IT admin to add a work or school account for the student.
+4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.

   ![Assign to people showing student name](images/minecraft-assign-to-people-name.png)
   
+   You can assign the app to students with work or school accounts. </br>
+   If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Office 365 portal where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. 
+
+
 **To finish Minecraft install (for students)**

 Students will receive an email with a link that will install the app on their PC.
@ -152,6 +154,9 @@ If you are still having trouble installing the app, you can get more help on our

 ## Related topics

+[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md) </br>
+Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
+
 [Get Minecraft: Education Edition](get-minecraft-for-education.md)

 [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
--- a/mdop/appv-v5/about-app-v-50-sp3.md
+++ b/mdop/appv-v5/about-app-v-50-sp3.md
@ -109,7 +109,7 @@ Review the following information before you start the upgrade:
 <td align="left"><p>You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.0 SP3.</p>
 <p>For more information, see:</p>
 <ul>
-<li><p>[About App-V 5.0](about-app-v-50.md#bkmk-diffs-46-50)</p></li>
+<li><p>[About App-V 5.0](about-app-v-50.md) </p></li>
 <li><p>[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)</p></li>
 </ul>
 <p></p></td>
@ -521,7 +521,7 @@ You can manage connection groups more easily by using optional packages and othe
 <tbody>
 <tr class="odd">
 <td align="left"><p>Management console</p></td>
-<td align="left"><p>[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md#bkmk-admin-pub-pkg-only-posh)</p></td>
+<td align="left"><p>[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md)</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>PowerShell</p></td>
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
@ -157,7 +157,6 @@ Complete the following steps to create an Office 2013 package for App-V 5.0 or l
 **Important**  
 In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.

- 

 ### Review prerequisites for using the Office Deployment Tool

@ -189,11 +188,9 @@ The computer on which you are installing the Office Deployment Tool must have:
 </tbody>
 </table>

- 

 **Note**  
 In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
-
  

 ### Create Office 2013 App-V Packages Using Office Deployment Tool
@ -242,8 +239,6 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        **Note**  
        The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.

-         
-
        The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:

        <table>
@ -300,8 +295,6 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        </tbody>
        </table>

-         
-
        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.

 2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
@ -811,7 +804,7 @@ The following table describes the requirements and options for deploying Visio 2
 <tr class="odd">
 <td align="left"><p>How do I package and publish Visio 2013 and Project 2013 with Office?</p></td>
 <td align="left"><p>You must include Visio 2013 and Project 2013 in the same package with Office.</p>
-<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](../solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md#bkmk-pkg-pub-reqs).</p></td>
+<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>How can I deploy Visio 2013 and Project 2013 to specific users?</p></td>
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
@ -62,7 +62,6 @@ Use the following table to get information about supported versions of Office an
 </table>

  
-
 ### <a href="" id="bkmk-pkg-pub-reqs"></a>Packaging, publishing, and deployment requirements

 Before you deploy Office by using App-V, review the following requirements.
@ -811,7 +810,7 @@ The following table describes the requirements and options for deploying Visio 2
 <tr class="odd">
 <td align="left"><p>How do I package and publish Visio 2013 and Project 2013 with Office?</p></td>
 <td align="left"><p>You must include Visio 2013 and Project 2013 in the same package with Office.</p>
-<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](../solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md#bkmk-pkg-pub-reqs).</p></td>
+<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>How can I deploy Visio 2013 and Project 2013 to specific users?</p></td>
--- a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
@ -11,8 +11,6 @@ ms.prod: w10


 # How to Create a Connection Group with User-Published and Globally Published Packages
-
-
 You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:

 -   [How to use PowerShell cmdlets to create the user-entitled connection groups](#bkmk-posh-userentitled-cg)
@ -46,8 +44,7 @@ You can create user-entitled connection groups that contain both user-published
 </table>

  
-
-**How to use PowerShell cmdlets to create user-entitled connection groups**
+<a href="" id="bkmk-posh-userentitled-cg"></a>**How to use PowerShell cmdlets to create user-entitled connection groups**

 1.  Add and publish packages by using the following commands:

@ -67,7 +64,7 @@ You can create user-entitled connection groups that contain both user-published

    **Enable-AppvClientConnectionGroup  -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**

-**How to use the App-V Server to create user-entitled connection groups**
+<a href="" id="bkmk-appvserver-userentitled-cg"></a>**How to use the App-V Server to create user-entitled connection groups**

 1.  Open the App-V 5.0 Management Console.

--- a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
@ -45,9 +45,7 @@ You can create user-entitled connection groups that contain both user-published
 </tbody>
 </table>

- 
-
-**How to use PowerShell cmdlets to create user-entitled connection groups**
+<a href="" id="bkmk-posh-userentitled-cg"></a>**How to use PowerShell cmdlets to create user-entitled connection groups**

 1.  Add and publish packages by using the following commands:

@ -67,7 +65,7 @@ You can create user-entitled connection groups that contain both user-published

    **Enable-AppvClientConnectionGroup  -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**

-**How to use the App-V Server to create user-entitled connection groups**
+<a href="" id="bkmk-appvserver-userentitled-cg"></a>**How to use the App-V Server to create user-entitled connection groups**

 1.  Open the App-V 5.1 Management Console.

--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
@ -15,7 +15,7 @@ ms.prod: w10

 Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 client and Remote Desktop Services client. You must install the version of the client that matches the operating system of the target computer.

-**What to do before you start**
+<a href="" id="bkmk-clt-install-prereqs"></a>**What to do before you start**

 1.  Review and install the software prerequisites:

@ -143,8 +143,6 @@ Use the following procedure to install the Microsoft Application Virtualization
    **Note**  
    The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter.

-     
-
    <table>
    <colgroup>
    <col width="50%" />
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
@ -15,7 +15,7 @@ ms.prod: w10

 Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.0 client and Remote Desktop Services client. You must install the version of the client that matches the operating system of the target computer.

-**What to do before you start**
+<a href="" id="bkmk-clt-install-prereqs"></a>**What to do before you start**

 1.  Review and install the software prerequisites:

--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
@ -88,12 +88,12 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 <td align="left"><p>Run the <strong>Set-AppvClientConfiguration</strong> cmdlet with the <strong>-RequirePublishAsAdmin</strong> parameter.</p></td>
 <td align="left"><ul>
 <li><p>[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admin-only-posh-topic-cg)</p></li>
-<li><p>[How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)</p></li>
+<li><p>[How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md)</p></li>
 </ul></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Enable the “Require publish as administrator” Group Policy setting for App-V Clients.</p></td>
-<td align="left"><p>[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md#bkmk-admin-pub-pkg-only-posh)</p></td>
+<td align="left"><p>[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md) </p></td>
 </tr>
 </tbody>
 </table>
@ -105,8 +105,6 @@ Review the following requirements for using the App-V PowerShell cmdlets:
  

 ## <a href="" id="bkmk-load-cmdlets"></a>Loading the PowerShell cmdlets
-
-
 To load the PowerShell cmdlet modules:

 1.  Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
@ -143,8 +141,6 @@ To load the PowerShell cmdlet modules:
  

 ## <a href="" id="bkmk-get-cmdlet-help"></a>Getting help for the PowerShell cmdlets
-
-
 Starting in App-V 5.0 SP3, cmdlet help is available in two formats:

 <table>
@ -204,15 +200,13 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
  

 ## <a href="" id="bkmk-display-help-cmdlet"></a>Displaying the help for a PowerShell cmdlet
-
-
 To display help for a specific PowerShell cmdlet:

 1.  Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).

 2.  Type **Get-Help** &lt;*cmdlet*&gt;, for example, **Get-Help Publish-AppvClientPackage**.

-**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue**? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).

  

--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
@ -88,12 +88,12 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 <td align="left"><p>Run the <strong>Set-AppvClientConfiguration</strong> cmdlet with the <strong>-RequirePublishAsAdmin</strong> parameter.</p></td>
 <td align="left"><ul>
 <li><p>[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md#bkmk-admin-only-posh-topic-cg)</p></li>
-<li><p>[How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)</p></li>
+<li><p>[How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md)</p></li>
 </ul></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Enable the “Require publish as administrator” Group Policy setting for App-V Clients.</p></td>
-<td align="left"><p>[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md#bkmk-admin-pub-pkg-only-posh)</p></td>
+<td align="left"><p>[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md)</p></td>
 </tr>
 </tbody>
 </table>
@ -106,7 +106,6 @@ Review the following requirements for using the App-V PowerShell cmdlets:

 ## <a href="" id="bkmk-load-cmdlets"></a>Loading the PowerShell cmdlets

-
 To load the PowerShell cmdlet modules:

 1.  Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
@ -140,11 +139,7 @@ To load the PowerShell cmdlet modules:
 </tbody>
 </table>

- 
-
 ## <a href="" id="bkmk-get-cmdlet-help"></a>Getting help for the PowerShell cmdlets
-
-
 Starting in App-V 5.0 SP3, cmdlet help is available in two formats:

 <table>
@ -201,11 +196,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
 </tbody>
 </table>

- 
-
 ## <a href="" id="bkmk-display-help-cmdlet"></a>Displaying the help for a PowerShell cmdlet
-
-
 To display help for a specific PowerShell cmdlet:

 1.  Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
@ -27,7 +27,7 @@ This topic explains the following procedures:

 -   [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)

-**To add and publish the App-V packages in the connection group**
+<a href="" id="bkmk-add-pub-pkgs-in-cg"></a>**To add and publish the App-V packages in the connection group**

 1.  To add and publish the App-V 5.0 packages to the computer running the App-V client, type the following command:

@ -35,7 +35,7 @@ This topic explains the following procedures:

 2.  Repeat **step 1** of this procedure for each package in the connection group.

-**To add and enable the connection group on the App-V client**
+<a href="" id="bkmk-add-enable-cg-on-clt"></a>**To add and enable the connection group on the App-V client**

 1.  Add the connection group by typing the following command:

@ -47,7 +47,7 @@ This topic explains the following procedures:

    When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.

-**To enable or disable a connection group for a specific user**
+<a href="" id="bkmk-enable-cg-for-user-poshtopic"></a>**To enable or disable a connection group for a specific user**

 1.  Review the parameter description and requirements:

@ -88,9 +88,7 @@ This topic explains the following procedures:
    </tbody>
    </table>

-     
-
-**To allow only administrators to enable connection groups**
+<a href="" id="bkmk-admin-only-posh-topic-cg"></a>**To allow only administrators to enable connection groups**

 1.  Review the description and requirement for using this cmdlet:

@ -126,8 +124,6 @@ This topic explains the following procedures:
    </tbody>
    </table>

-     
-
    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).

 ## Related topics
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
@ -27,7 +27,7 @@ This topic explains the following procedures:

 -   [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)

-**To add and publish the App-V packages in the connection group**
+<a href="" id="bkmk-add-pub-pkgs-in-cg"></a>*To add and publish the App-V packages in the connection group**

 1.  To add and publish the App-V 5.1 packages to the computer running the App-V client, type the following command:

@ -35,7 +35,7 @@ This topic explains the following procedures:

 2.  Repeat **step 1** of this procedure for each package in the connection group.

-**To add and enable the connection group on the App-V client**
+<a href="" id="bkmk-add-enable-cg-on-clt"></a>**To add and enable the connection group on the App-V client**

 1.  Add the connection group by typing the following command:

@ -47,7 +47,7 @@ This topic explains the following procedures:

    When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.

-**To enable or disable a connection group for a specific user**
+<a href="" id="bkmk-enable-cg-for-user-poshtopic"></a>**To enable or disable a connection group for a specific user**

 1.  Review the parameter description and requirements:

@ -88,9 +88,7 @@ This topic explains the following procedures:
    </tbody>
    </table>

-     
-
-**To allow only administrators to enable connection groups**
+<a href="" id="bkmk-admin-only-posh-topic-cg"></a>**To allow only administrators to enable connection groups**

 1.  Review the description and requirement for using this cmdlet:

--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
@ -31,7 +31,7 @@ This topic explains how to:

 -   If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.

-**Update an application in an existing virtual application package**
+<a href="" id="bkmk-update-app-in-pkg"></a>**Update an application in an existing virtual application package**

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -46,8 +46,6 @@ This topic explains how to:
    **Important**  
    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.

-     
-
 6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.

 7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
@ -55,16 +53,12 @@ This topic explains how to:
    **Note**  
    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.

-     
-
 8.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.

 9.  On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.

    **Note**  
-    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-     
+    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.   

 10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.

@ -72,7 +66,7 @@ This topic explains how to:

 11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.

-**Modify the properties associated with an existing virtual application package**
+<a href="" id="bkmk-chg-props-in-pkg"></a>**Modify the properties associated with an existing virtual application package**

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -111,11 +105,9 @@ This topic explains how to:
        **Note**  
        To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.

-         
-
 6.  When you finish changing the package properties, click **File** &gt; **Save** to save the package.

-**Add a new application to an existing virtual application package**
+<a href="" id="bkmk-add-app-to-pkg"></a>**Add a new application to an existing virtual application package**

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -130,8 +122,6 @@ This topic explains how to:
    **Important**  
    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.

-     
-
 6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.

 7.  On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** &gt; **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
@ -139,8 +129,6 @@ This topic explains how to:
    **Note**  
    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.

-     
-
 8.  On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.

 9.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
@ -154,8 +142,6 @@ This topic explains how to:
    **Note**  
    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.

-     
-
 12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.

    To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
@ -166,7 +152,6 @@ This topic explains how to:

 ## Related topics

-
 [Operations for App-V 5.1](operations-for-app-v-51.md)

  
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
@ -31,7 +31,7 @@ This topic explains how to:

 -   If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.

-**Update an application in an existing virtual application package**
+<a href="" id="bkmk-update-app-in-pkg"></a>**Update an application in an existing virtual application package**

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -46,8 +46,6 @@ This topic explains how to:
    **Important**  
    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.

-     
-
 6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.

 7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
@ -55,8 +53,6 @@ This topic explains how to:
    **Note**  
    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.

-     
-
 8.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.

 9.  On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@ -64,15 +60,13 @@ This topic explains how to:
    **Note**  
    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.

-     
-
 10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.

    To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**.

 11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.

-**Modify the properties associated with an existing virtual application package**
+<a href="" id="bkmk-chg-props-in-pkg"></a>**Modify the properties associated with an existing virtual application package**

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -101,11 +95,9 @@ This topic explains how to:
        **Note**  
        To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.

-         
-
 6.  When you finish changing the package properties, click **File** &gt; **Save** to save the package.

-**Add a new application to an existing virtual application package**
+<a href="" id="bkmk-add-app-to-pkg"></a>**Add a new application to an existing virtual application package**

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -120,8 +112,6 @@ This topic explains how to:
    **Important**  
    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.

-     
-
 6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.

 7.  On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** &gt; **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
@ -129,8 +119,6 @@ This topic explains how to:
    **Note**  
    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.

-     
-
 8.  On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.

 9.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
@ -144,8 +132,6 @@ This topic explains how to:
    **Note**  
    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.

-     
-
 12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.

    To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
@ -156,7 +142,6 @@ This topic explains how to:

 ## Related topics

-
 [Operations for App-V 5.0](operations-for-app-v-50.md)

  
--- a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
@ -30,7 +30,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi

  

-**To open the Administration and Monitoring Website**
+<a href="" id="bkmk-openadmin"></a>**To open the Administration and Monitoring Website**

 1.  Open a web browser and navigate to the Administration and Monitoring Website. The default URL for the Administration and Monitoring Website is:

@ -47,7 +47,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi

     

-**To generate an Enterprise Compliance Report**
+<a href="" id="bkmk-enterprise"></a>**To generate an Enterprise Compliance Report**

 1.  From the Administration and Monitoring Website, select the **Reports** node from the left navigation pane, select **Enterprise Compliance Report**, and select the filters that you want to use. The available filters for the Enterprise Compliance Report are:

@ -61,7 +61,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi

 4.  Select the plus sign (+) next to the computer name to view information about the volumes on the computer.

-**To generate a Computer Compliance Report**
+<a href="" id="bkmk-computercomp"></a>**To generate a Computer Compliance Report**

 1.  From the Administration and Monitoring Website, select the **Report** node from the left navigation pane, and then select **Computer Compliance Report**. Use the Computer Compliance Report to search for **User name** or **Computer name**.

@ -74,9 +74,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
    **Note**  
    An MBAM client computer is considered compliant if the computer matches or exceeds the requirements of the MBAM Group Policy settings.

-     
-
-**To generate a Recovery Key Audit Report**
+<a href="" id="bkmk-recoverykey"></a>**To generate a Recovery Key Audit Report**

 1.  From the Administration and Monitoring Website, select the **Report** node in the left navigation pane, and then select **Recovery Audit Report**. Select the filters for your Recovery Key Audit Report. The available filters for recovery key audits are as follows:

--- a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
@ -11,19 +11,11 @@ ms.prod: w10


 # How to Recover a Moved Drive
-
-
 This topic explains how to use the Administration and Monitoring Website (also referred to as the Help Desk) to recover an operating system drive that was moved after being encrypted by Microsoft BitLocker Administration and Monitoring (MBAM). When a drive is moved, it no longer accepts the PIN that was used in the previous computer because the Trusted Platform Module (TPM) chip has changed. To recover the moved drive, you must obtain the recovery key ID to retrieve the recovery password.

 To recover a moved drive, you must use the **Drive Recovery** area of the Administration and Monitoring Website. To access the **Drive Recovery** area, you must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role. For more information about these roles, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md#bkmk-helpdesk-roles).

-**Note**  
-You may have given these roles different names when you created them. For more information, see [Access accounts for the Administration and Monitoring Website (Help Desk)](#bkmk-helpdesk-roles).
-
- 
-
 **To recover a moved drive**
-
 1.  On the computer that contains the moved drive, start the computer in Windows Recovery Environment (WinRE) mode, or start the computer by using the Microsoft Diagnostic and Recovery Toolset (DaRT).

 2.  After the computer has been started with WinRE or DaRT, MBAM will treat the moved operating system drive as a fixed data drive. MBAM will then display the drive’s recovery password ID and ask for the recovery password.
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@ -283,16 +283,21 @@ MBAM supports the following versions of Configuration Manager.
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft System Center 2012 R2 Configuration Manager</p></td>
+<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), version 1606</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Microsoft System Center 2012 R2 Configuration Manager</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>Microsoft System Center 2012 Configuration Manager</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
-<tr class="odd">
+<tr class="even">
 <td align="left"><p>Microsoft System Center Configuration Manager 2007 R2 or later</p></td>
 <td align="left"><p>SP1 or later</p></td>
 <td align="left"><p>64-bit</p>
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@ -72,8 +72,7 @@ Before you install the MBAM Client software on end users' computers, ensure that
  

 **Important**  
-If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM cannot take ownership of TPM if the client PC is already encrypted and the TPM owner password created.
-
+If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
  

 ## Got a suggestion for MBAM?
--- a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
+++ b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
@ -66,7 +66,7 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
 <tbody>
 <tr class="odd">
 <td align="left"><p>At a Windows PowerShell command prompt, type <strong>Get-Help</strong> &lt;<em>cmdlet</em>&gt;</p></td>
-<td align="left"><p>To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md#bkmk-loadposhhelp)</p></td>
+<td align="left"><p>To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>On TechNet as webpages</p></td>
--- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
@ -51,7 +51,7 @@ Follow these steps to configure your MED-V image for running first time setup:

 After you have completed customization of your MED-V image, you are ready to seal the image by using Sysprep.

-**Sealing the MED-V Image by Using Sysprep**
+<a href="" id="bkmk-seal"></a>**Sealing the MED-V Image by Using Sysprep**

 1.  The System Preparation tool (Sysprep) is a technology that you can use to perform image-based installations throughout the network with minimal intervention by an administrator or IT-Professional.

--- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
@ -29,7 +29,7 @@ You can add and remove URL redirection information by performing one of the foll

 -   [Edit the URL Redirection Text File and Rebuild the MED-V Workspace](#bkmk-edittext)

-**To update URL Redirection information by using Group Policy**
+<a href="" id="bkmk-editreg"></a>**To update URL Redirection information by using Group Policy**

 1.  Edit the registry key multi-string value that is named `RedirectUrls`. This value is typically located at:

@ -44,7 +44,7 @@ This method of editing URL redirection information is a MED-V best practice.

  

-**To rebuild the MED-V workspace by using an updated URL text file**
+<a href="" id="bkmk-edittext"></a>**To rebuild the MED-V workspace by using an updated URL text file**

 -   Another method of adding and removing URLs from the redirection list is to update the URL redirection text file and then use it to build a new MED-V workspace. You can then redeploy the MED-V workspace as before, by using your standard process of deployment, such as an ESD system.

--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@ -47,21 +47,15 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
    3.  **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).

        **Warning**  
-        Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
-
-         
+        Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.   

    4.  **MED-V Workspace Installer, VHD, and Setup Executable** – created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).

        **Important**  
        The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.

-         
-
        **Tip**  
-        Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
-
-         
+        Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.       

 3.  Configure the packages to run in silent mode (no user interaction is required).

@ -70,15 +64,11 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
    **Note**  
    Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [To install the MED-V components by using a batch file](#bkmk-batch). MED-V automatically starts when the computer is restarted.

-     
-
 4.  Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.

    **Important**  
    Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.

-     
-
 5.  Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.

 6.  Assign the packages to the target set of computers/users.
@ -91,7 +81,7 @@ You must install the MED-V workspace packager and build your MED-V workspaces be

 First time setup starts and might take several minutes to finish, depending on the size of the virtual hard disk that you specified and the number of policies applied to the MED-V workspace on startup. The end user can track the progress by watching the MED-V icon in the notification area. For more information about first time setup, see [MED-V 2.0 Deployment Overview](med-v-20-deployment-overview.md).

-**To install the MED-V components by using a batch file**
+<a href="" id="bkmk-batch"></a>**To install the MED-V components by using a batch file**

 1.  Run the installation at a command prompt with administrative credentials.

--- a/mdop/medv-v2/how-to-test-application-publishing.md
+++ b/mdop/medv-v2/how-to-test-application-publishing.md
@ -15,7 +15,7 @@ ms.prod: w7

 After your test of first time setup finishes, you can verify that the application publishing functionality is working as expected by performing the following tasks.

-**To test application publishing**
+<a href="" id="bkmk-apppub"></a>**To test application publishing**

 1.  Verify that the applications that you specified for publishing are visible.

@ -34,8 +34,6 @@ After your test of first time setup finishes, you can verify that the applicatio
    **Important**  
    Because Windows Virtual PC does not support creating a share from a folder that is already shared, redirection does not occur for any documents that open from a shared folder, such as a My Documents folder that is located on the network. For more information, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).

-     
-
 After you have verified that published applications are installed and functioning correctly, you can test whether applications can be added or removed from the MED-V workspace.

 **To test that an application can be added or removed**
@ -51,15 +49,12 @@ After you have verified that published applications are installed and functionin
 **Note**  
 If you encounter any problems when verifying your application publication settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).

- 
-
 After you have completed testing application publishing, you can test other MED-V workspace configurations to verify that they function as intended.

 After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.

 ## Related topics

-
 [How to Test URL Redirection](how-to-test-url-redirection.md)

 [How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
--- a/mdop/medv-v2/how-to-test-url-redirection.md
+++ b/mdop/medv-v2/how-to-test-url-redirection.md
@ -18,9 +18,7 @@ After your test of first time setup finishes, you can verify that the URL redire
 **Important**  
 The MED-V Host Agent must be running for URL redirection to function correctly.

- 
-
-**To test URL Redirection**
+<a href="" id="bkmk-urlredir"></a>**To test URL Redirection**

 1.  Open an Internet Explorer browser in the host computer and enter a URL that you specified for redirection.

@ -45,20 +43,15 @@ The MED-V Host Agent must be running for URL redirection to function correctly.
        **Note**  
        It can take several seconds for the URL redirection changes to take place.

-         
-
 **Note**  
 If you encounter any problems when verifying your URL redirection settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).

- 
-
 After you have completed testing URL redirection in your MED-V workspace, you can test other configurations to verify that they function as intended.

 After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.

 ## Related topics

-
 [How to Test Application Publishing](how-to-test-application-publishing.md)

 [How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
--- a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
+++ b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
@ -103,9 +103,7 @@ It might be necessary to change the PowerShell execution policy to allow these s

 2.  In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**

- 
-
-**Create the First UE-V Policy Configuration Item**
+<a href="" id="create"></a>**Create the First UE-V Policy Configuration Item**

 1.  Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:

@ -173,8 +171,6 @@ It might be necessary to change the PowerShell execution policy to allow these s
 3.  Reimport the CAB file. The version in ConfigMgr will be updated.

 ## Generate a UE-V Template Baseline
-
-
 UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.

 The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters:
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a

 ![deploymentworkflow](images/deploymentworkflow.png)

-**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
+<a href="" id="planning"></a>**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:

 -   [Decide whether to synchronize settings for custom applications](#deciding)

--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@ -91,7 +91,7 @@ To verify your Active Directory-based activation configuration, complete the fol
 6.  Scroll down to the **Windows activation** section, and verify that this client has been activated.

    **Note**<br>
-    If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used.
+    If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
    
 ## See also
 -   [Volume Activation for Windows 10](volume-activation-windows-10.md)
--- a/windows/deploy/introduction-vamt.md
+++ b/windows/deploy/introduction-vamt.md
@ -22,18 +22,18 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
 -   [Enterprise Environment](#bkmk-enterpriseenvironment)
 -   [VAMT User Interface](#bkmk-userinterface)

-## Managing Multiple Activation Key (MAK) and Retail Activation
+## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation

 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
 -   **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
 -   **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.

-## Managing Key Management Service (KMS) Activation
+## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation

 In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
 VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.

-## Enterprise Environment
+## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment

 VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.

@ -42,7 +42,7 @@ VAMT is commonly implemented in enterprise environments. The following illustrat
 In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.

-## VAMT User Interface
+## <a href="" id="bkmk-userinterface"></a>VAMT User Interface

 The following screenshot shows the VAMT graphical user interface.

--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@ -33,7 +33,7 @@ The following sections and procedures are provided in this guide:
    - [Log entry structure](#log-entry-structure): The format of a log entry is described.
    - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
 - [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
-    - [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
+    - [0xC1900101](#0xc1900101): Information about the 0xC1900101 result code.
    - [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
    - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
    - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
@ -866,7 +866,7 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
 <TD>[Analyze log files](#analyze-log-files) to determine the issue.</TD></TR>
 <TR><TD>0xC1900101 - 0x4001E
 <TD>Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
-<TD>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.</TD></TR>
+<TD>This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.</TD></TR>
 <TR><TD>0x80070005 - 0x4000D
 <TD>The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
 <TD>[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.</TD></TR>
--- a/windows/deploy/usmt-exclude-files-and-settings.md
+++ b/windows/deploy/usmt-exclude-files-and-settings.md
@ -32,7 +32,7 @@ If you specify an &lt;exclude&gt; rule, always specify a corresponding &lt;inclu

 -   [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)

-   [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-c-data-except-files-in-c-data-tmp)
+-   [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)

 -   [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)

@ -246,7 +246,7 @@ The following .xml file unconditionally excludes the system folders of `C:\Windo
   </component>
 </migration>
 ```
-## Create a Config.xml File
+## Create a Config XML File
 You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.

 -   **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the &lt;Applications&gt; section of the Config.xml file.
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@ -23,7 +23,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can

 >**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.  

->**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#Free-upgrade-paths).
+>**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#free-upgrade-paths).

 ✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@ -37,7 +37,7 @@ In this topic:

 -   [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)

-   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+-   [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)

 ## To add domain devices to the GPO membership group

--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@ -25,11 +25,11 @@ To complete these procedures, you must be a member of the Domain Administrators

 In this topic:

-   [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+-   [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)

 -   [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)

-   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+-   [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)

 ## To add test devices to the GPO membership groups

--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@ -27,7 +27,7 @@ You can access these audit policy settings through the Local Security Policy sna
 These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
 Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:

-**Account Logon**
+## Account Logon

 Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:

@ -36,7 +36,7 @@ Configuring policy settings in this category can help you document attempts to a
 -   [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
 -   [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)

-**Account Management**
+## Account Management

 The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:

@ -47,7 +47,7 @@ The security audit policy settings in this category can be used to monitor chang
 -   [Audit Security Group Management](audit-security-group-management.md)
 -   [Audit User Account Management](audit-user-account-management.md)

-**Detailed Tracking**
+## Detailed Tracking

 Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:

@ -57,7 +57,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
 -   [Audit Process Termination](audit-process-termination.md)
 -   [Audit RPC Events](audit-rpc-events.md)

-**DS Access**
+## DS Access

 DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:

@ -66,7 +66,7 @@ DS Access security audit policy settings provide a detailed audit trail of attem
 -   [Audit Directory Service Changes](audit-directory-service-changes.md)
 -   [Audit Directory Service Replication](audit-directory-service-replication.md)

-**Logon/Logoff**
+## Logon/Logoff

 Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:

@ -82,11 +82,11 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
 -   [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
 -   [Audit Special Logon](audit-special-logon.md)

-**Object Access**
+## Object Access

 Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.

-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).

 This category includes the following subcategories:

@ -105,7 +105,7 @@ This category includes the following subcategories:
 -   [Audit SAM](audit-sam.md)
 -   [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)

-**Policy Change**
+## Policy Change

 Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:

@ -116,7 +116,7 @@ Policy Change audit events allow you to track changes to important security poli
 -   [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
 -   [Audit Other Policy Change Events](audit-other-policy-change-events.md)

-**Privilege Use**
+## Privilege Use

 Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:

@ -124,7 +124,7 @@ Permissions on a network are granted for users or computers to complete defined
 -   [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
 -   [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)

-**System**
+## System

 System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:

@ -134,7 +134,7 @@ System security policy settings and audit events allow you to track system-level
 -   [Audit Security System Extension](audit-security-system-extension.md)
 -   [Audit System Integrity](audit-system-integrity.md)

-**Global Object Access**
+## Global Object Access Auditing

 Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
 Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@ -36,7 +36,7 @@ Highlighted area|Area name|Description
 :---|:---|:---
 (1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
 (2)|Alerts|Each alert shows:<ul><li>The severity of an alert as a colored bar</li><li>A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)</li><li>The last occurrence of the alert on any machine</li><li>The number of days the alert has been in the queue</li><li>The severity of the alert</li><li>The general category or type of alert, or the alert's kill-chain stage</li><li>The affected machine (if there are multiple machines, the number of affected machines will be shown)</li><li>A **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) that allows you to update the alert's status and add comments</li></ul>Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
-(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Newest** (when the threat was last seen on your network)</li><li>**Time in queue** (how long the threat has been in your queue)</li><li>**Severity**</li></ul>You can also filter the displayed alerts by:<ul><li>Severity</li><li>Time period</li></ul>See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
+(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Newest** (when the threat was last seen on your network)</li><li>**Time in queue** (how long the threat has been in your queue)</li><li>**Severity**</li></ul>You can also filter the displayed alerts by:<ul><li>Severity</li><li>Time period</li></ul>See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details.

 ##Sort and filter the Alerts queue
 You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@ -117,7 +117,7 @@ When you need to recover the TPM owner information from AD DS and use it to man
 **To obtain TPM owner backup information from AD DS and create a password file**

 1.  Sign in to a domain controller by using domain administrator credentials.
-2.  Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
+2.  Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
 3.  Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
 4.  At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.

--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@ -319,7 +319,7 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b

 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.

 ## <a href="" id="bkmk-security"></a>Security

--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 | New or changed topic | Description |
 | --- | --- |
 |[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
-|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
 |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
 |[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
 |[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@ -160,7 +160,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
        </tr>
        <tr>
            <td>All fields left as “*”</td>
-            <td>All files signed by any publisher. (Not recommended.)</td>
+            <td>All files signed by any publisher. (Not recommended)</td>
        </tr>
        <tr>
            <td><strong>Publisher</strong> selected</td>
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@ -80,7 +80,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **

 3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.

-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.

 4.	Pick **Store App** from the **Rule template** drop-down list.

@ -164,7 +164,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the

 3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.

-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.

 4.	Pick **Desktop App** from the **Rule template** drop-down list.

@ -304,7 +304,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*

 3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.

-    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+    Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.

 4.	Pick the **AppLocker policy file** from the **Rule template** drop-down list.

--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -100,11 +100,13 @@ The following tables describes additional hardware and firmware requirements, an

 ## Manage Credential Guard

-Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it.
+### Enable Credential Guard
+Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).

-### Turn on Credential Guard by using Group Policy
+#### Turn on Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.

-You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you.
 1.  From the Group Policy Management Console, go to **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard**.
 2.  Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
 3.  **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
@ -114,43 +116,46 @@ You can use Group Policy to enable Credential Guard because it will add the virt
    
 5.  Close the Group Policy Management Console.

-### Add Credential Guard to an image
+To enforce processing of the group policy, you can run ```gpupdate /force```. 

-If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard.
+#### Turn on Credential Guard by using the registry

-### Add the virtualization-based security features
+If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.

-First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+##### Add the virtualization-based security features
+
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. 
+You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
 > [!NOTE]  
 > If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
+
  
 **Add the virtualization-based security features by using Programs and Features**
+
 1.  Open the Programs and Features control panel.
 2.  Click **Turn Windows feature on or off**.
 3.  Go to **Hyper-V** -&gt; **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4.  Click **OK**.
+4.  Select the **Isolated User Mode** check box at the top level of the feature selection. 
+5.  Click **OK**.

 **Add the virtualization-based security features to an offline image by using DISM**
+
 1.  Open an elevated command prompt.
 2.  Add the Hyper-V Hypervisor by running the following command:
    ``` syntax
    dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
    ```
+3. Add the Isolated User Mode feature by running the following command:
+    ``` syntax
+    dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
+    ```

 > [!NOTE]  
 > You can also add these features to an online image by using either DISM or Configuration Manager.

-
-In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
-
-``` syntax
-dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
-```
-### Turn on Credential Guard
-
-If you don't use Group Policy, you can enable Credential Guard by using the registry.
-
-**Turn on Credential Guard by using the registry**
+##### Enable virtualization-based security and Credential Guard

 1.  Open Registry Editor.
 2.  Enable virtualization-based security:
@ -166,14 +171,30 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
 > [!NOTE]  
 > You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.

-**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
+<span id="hardware-readiness-tool" />
+#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool

 You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).

 ```
 DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
 ```
- 
+
+#### Credential Guard deployment in virtual machines
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+
+Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
+```
+
+Requirements for running Credential Guard in Hyper-V virtual machines
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
+
+
 ### Remove Credential Guard

 If you have to remove Credential Guard on a PC, you need to do the following:
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@ -51,7 +51,7 @@ This tile shows you a list of machines with the highest number of active alerts.

 ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)

-Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
+Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).

 You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).

--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@ -30,4 +30,4 @@ Windows Defender will continue to receive updates, and the *mspeng.exe* process

 The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.

-For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@ -74,9 +74,9 @@ When finished, the files will be saved to your desktop. You can double-click the

 To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers. 

-For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe).

-For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).

 ## Catalog signing with SignTool.exe

--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@ -20,7 +20,7 @@ Hardware-based security features, also called virtualization-based security or V

 2.  **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).

-3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+3.  **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).

 4.  **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic. 

@ -46,7 +46,7 @@ After you enable the feature or features, you can enable VBS for Device Guard, a

 ## Enable Virtualization Based Security (VBS) and Device Guard

-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).

 There are multiple ways to configure VBS features for Device Guard: 

--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@ -82,7 +82,7 @@ This URL will match that seen in the Firewall or network activity.</td>
 <td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
 <td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
-<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
+<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>6</td>
@ -145,13 +145,13 @@ It may take several hours for the endpoint to appear in the portal.</td>
 <td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
 <td>Variable = URL of the Windows Defender ATP processing servers.<br>
 The service could not contact the external processing servers at that URL.</td>
-<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
+<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).</td>
 </tr>
 <tr>
 <td>17</td>
 <td>Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
@ -202,7 +202,7 @@ Ensure real-time antimalware protection is running properly.</td>
 <td>28</td>
 <td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
@ -218,7 +218,7 @@ Ensure real-time antimalware protection is running properly.</td>
 <td>31</td>
 <td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
-<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
+<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).</td>
 </tr>
 <tr>
 <td>32</td>
@ -237,7 +237,7 @@ If the identifier does not persist, the same machine might appear twice in the p
 <td>34</td>
 <td>Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
 </tr>
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@ -131,7 +131,7 @@ The following table lists the Group Policy settings that you can configure for H
 </td>
 </tr>
 <tr>
-<td><a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone Sign-in</a></td>
+<td><a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone Sign-in</a></td>
 <td>
 <p>Use Phone Sign-in</p>
 <div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
@ -289,8 +289,8 @@ The following table lists the MDM policy settings that you can configure for Win
 <td>Device or user</td>
 <td>False</td>
 <td>
-<p>True: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is enabled.</p>
-<p>False: <a href="prepare-people-to-use-microsoft-passport.md#BMK_remote">Phone sign-in</a> is disabled.</p>
+<p>True: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is enabled.</p>
+<p>False: <a href="prepare-people-to-use-microsoft-passport.md#bmk-remote">Phone sign-in</a> is disabled.</p>
 </td>
 </tr>
 </table>
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@ -40,7 +40,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 2.  On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
 3.  If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.

-    >**Note:**  If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
+    >**Note:**  If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
     
    >**Note:**  If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
     
@ -57,7 +57,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p

 **To set ownership of the TPM**

-1.  If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
+1.  If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
 2.  In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
 3.  In the **Save your TPM owner password** dialog box, click **Save the password**.
 4.  In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@ -69,7 +69,7 @@ The threat category filter lets you filter the view by the following categories:
 - Threat
 - Low severity

-For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
+For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#machines-with-active-malware-detections).

 You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file.

@ -81,7 +81,7 @@ Investigate the details of an alert raised on a specific machine to identify oth

 You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:

- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
+- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
 - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
 - The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
 - Any individual alert
@ -104,7 +104,7 @@ You'll see an aggregated view of alerts, a short description of the alert, detai

 This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.

-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-spotlight) feature to see the correlation between alerts and events on a specific machine.

 ![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)

--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@ -44,7 +44,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d

 -   [Prerequisites](#prerequisites)

-   [Step 1: Define your network](#step-1-Define-your-network)
+-   [Step 1: Define your network](#step-1-define-your-network)

 -   [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)

--- a/windows/keep-secure/local-accounts.md
+++ b/windows/keep-secure/local-accounts.md
@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows

 In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.

-In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. 

 **Account group membership**

--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@ -108,7 +108,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
 ## Windows Defender signature updates are configured
 The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).

-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).

 ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
 If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@ -149,7 +149,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
 Event ID | Message | Resolution steps
 :---|:---|:---
 5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
 7 |  Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
 15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@ -30,8 +30,8 @@ The TPM Services Group Policy settings are located at:
 | [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X| 
 | [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||  
 | [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||  
-| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||  
-| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
+| [Standard User Individual Lockout Threshold](#bkmk-individual)| X| X| X| X|||  
+| [Standard User Total Lockout Threshold](#bkmk-total)| X| X| X| X||||

 ### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services

--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@ -193,5 +193,5 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
 | ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled<br/>1 = Enabled |
 | EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled<br />1 (Default) = Enabled |
 | EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled<br />1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
 | EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled<br />1 (Default) = Enabled |
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
 #### Introduction

 Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
-   [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+-   [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
 -   [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
 -   [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.

@ -436,7 +436,7 @@ The functionality a TPM provides includes:

 Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.

-Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
+Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.

 Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.

@ -576,7 +576,7 @@ The core functionality and protection of Device Guard starts at the hardware lev

 Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place.

-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section.

 #### Device Guard with AppLocker

--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@ -36,7 +36,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and

 | Section | Description |
 | - | - |
-| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
+| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
 | [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules| 
 | [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`| 
 | [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters| 
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@ -9,7 +9,7 @@
 ### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 #### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 #### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-### [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
 ### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
 #### [Configure Windows Update for Business](waas-configure-wufb.md)
 #### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
--- a/windows/manage/app-inventory-management-windows-store-for-business.md
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@ -209,6 +209,19 @@ For each app in your inventory, you can view and manage license details. This gi

        Store for Business updates the list of assigned licenses.

+### Purchase additional licenses
+You can purchase additional licenses for apps in your Inventory. 
+
+**To purchase additional app licenses**
+
+1. Sign in to [Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845)
+2. Click **Manage**, and then choose **Inventory**.
+3. From **Inventory**, click an app. 
+4. On the app page, click **View app details**. 
+5. From this page, click **Buy more** for additional licenses, or click **Manage** to work with your current licenses.  
+
+You'll have a summary of current license availability. 
+
 ### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app

 Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
--- a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@ -16,7 +16,7 @@ ms.prod: w10

 You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:

-   [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-powershell-cmdlets-to-create-user-entitled-connection-groups)
+-   [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups)

 -   [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups)

--- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@ -243,7 +243,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        **Note**<br>
        The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.

-        The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-XML-file), later in this topic.
+        The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.

        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.

--- a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
@ -80,7 +80,7 @@ Set-AppvClientConfiguration -SharedContentStoreMode 1

 The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.

-For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md).

 To deploy the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).

--- a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@ -75,9 +75,9 @@ Review the following requirements for using the Windows PowerShell cmdlets:
 <p>To configure these cmdlets to require an elevated command prompt, use one of the following methods:</p>
 <ul>
 <li><p>Run the <strong>Set-AppvClientConfiguration</strong> cmdlet with the <strong>-RequirePublishAsAdmin</strong> parameter.</p>
-<p>For more information, see:<br>[How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md#bkmk-admin-only-posh-topic-cg)<br>[How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).</p></li>
+<p>For more information, see:<br>[How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)<br>[How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).</p></li>
 <li><p>Enable the “Require publish as administrator” Group Policy setting for App-V Clients.</p>
-<p>For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md#bkmk-admin-pub-pkg-only-posh)</p></li>
+<p>For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)</p></li>
 </ul>
 </td>
 </tr>
--- a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@ -20,15 +20,15 @@ A connection group XML file defines the connection group for the App-V client. F

 This topic explains the following procedures:

-   [To add and publish the App-V packages in the connection group](#bkmk-add-pub-pkgs-in-cg)
+-   [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)

-   [To add and enable the connection group on the App-V client](#bkmk-add-enable-cg-on-clt)
+-   [To add and enable the connection group on the App-V client](#to-add-and-enable-the-connection-group-on-the-app-v-client)

-   [To enable or disable a connection group for a specific user](#bkmk-enable-cg-for-user-poshtopic)
+-   [To enable or disable a connection group for a specific user](#to-enable-or-disable-a-connection-group-for-a-specific-user)

-   [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
+-   [To allow only administrators to enable connection groups](#to-allow-only-administrators-to-enable-connection-groups)

-**To add and publish the App-V packages in the connection group**
+## To add and publish the App-V packages in the connection group

 1.  To add and publish the App-V packages to the computer running the App-V client, type the following command:

@ -36,7 +36,7 @@ This topic explains the following procedures:

 2.  Repeat **step 1** of this procedure for each package in the connection group.

-**To add and enable the connection group on the App-V client**
+## To add and enable the connection group on the App-V client

 1.  Add the connection group by typing the following command:

@ -48,7 +48,7 @@ This topic explains the following procedures:

    When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.

-**To enable or disable a connection group for a specific user**
+## To enable or disable a connection group for a specific user

 1.  Review the parameter description and requirements:

@ -89,9 +89,7 @@ This topic explains the following procedures:
    </tbody>
    </table>

-     
-
-**To allow only administrators to enable connection groups**
+## To allow only administrators to enable connection groups

 1.  Review the description and requirement for using this cmdlet:

--- a/windows/manage/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/manage/appv-modify-an-existing-virtual-application-package.md
@ -16,11 +16,11 @@ ms.prod: w10

 This topic explains how to:

-   [Update an application in an existing virtual application package](#bkmk-update-app-in-pkg)
+-   [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)

-   [Modify the properties associated with an existing virtual application package](#bkmk-chg-props-in-pkg)
+-   [Modify the properties associated with an existing virtual application package](#modify-the-properties-associated-with-an-existing-virtual-application-package)

-   [Add a new application to an existing virtual application package](#bkmk-add-app-to-pkg)
+-   [Add a new application to an existing virtual application package](#add-a-new-application-to-an-existing-virtual-application-package)

 **Before you update a package:**

@ -32,7 +32,7 @@ This topic explains how to:

 -   If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.

-**Update an application in an existing virtual application package**
+## Update an application in an existing virtual application package

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -47,25 +47,17 @@ This topic explains how to:
    **Important**  
    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.

-     
-
 6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.

 7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.

-    **Note**  
-    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-     
+    >**Note**&nbsp;&nbsp;The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.

 8.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.

 9.  On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.

-    **Note**  
-    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-     
+    >**Note**&nbsp;&nbsp;You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.

 10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.

@ -73,7 +65,8 @@ This topic explains how to:

 11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.

-**Modify the properties associated with an existing virtual application package**
+
+## Modify the properties associated with an existing virtual application package

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -109,14 +102,11 @@ This topic explains how to:

    -   Add or edit shortcuts and file type associations.

-        **Note**  
-        To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-         
+        >**Note**&nbsp;&nbsp;To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.

 6.  When you finish changing the package properties, click **File** &gt; **Save** to save the package.

-**Add a new application to an existing virtual application package**
+## Add a new application to an existing virtual application package

 1.  On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

@ -128,19 +118,13 @@ This topic explains how to:

 5.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** &gt; **Next**.

-    **Important**  
-    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-     
+    >**Important**&nbsp;&nbsp;If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.

 6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.

 7.  On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** &gt; **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.

-    **Note**  
-    The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-     
+    >**Note**&nbsp;&nbsp;The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.

 8.  On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.

@ -152,10 +136,7 @@ This topic explains how to:

 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.

-    **Note**  
-    You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-     
+    >**Note**&nbsp;&nbsp;You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.

 12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.

--- a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
@ -21,7 +21,7 @@ Before you can use App-V, you must install the App-V Sequencer, enable the App-V
 App-V uses a process called sequencing to create virtualized applications and application packages. Sequencing requires the use of a computer that runs the App-V Sequencer.

 > [!NOTE]  
-> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md).


 The computer that runs the App-V sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V Supported Configurations](appv-supported-configurations.md).
--- a/windows/manage/appv-planning-for-using-appv-with-office.md
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@ -26,15 +26,14 @@ Use the following information to plan how to deploy Office by using Microsoft Ap

 ## <a href="" id="bkmk-lang-pack"></a>App-V support for Language Packs

-You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
+You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.

 **Note**  
 Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.

- 
-
 ## <a href="" id="bkmk-office-vers-supp-appv"></a>Supported versions of Microsoft Office

+<!-- As of February 28, 2017, the first row of the table should be updated, because at that point, support for the Office 2013 version of Office 365 will end. It might also be good to have a link to this KB article: https://support.microsoft.com/kb/3199744 -->

 The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.

@ -55,7 +54,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Office 365 ProPlus</p>
+<td align="left"><p>Office 365 ProPlus (either the Office 2013 or the Office 2016 version)</p>
 <p>Also supported:</p>
 <ul>
 <li><p>Visio Pro for Office 365</p></li>
@ -71,6 +70,22 @@ The following table lists the versions of Microsoft Office that App-V supports,
 </ul></td>
 </tr>
 <tr class="even">
+<td align="left"><ul>
+<li><p>Visio Professional 2016 (C2R-P)</p></li>
+<li><p>Visio Standard 2016 (C2R-P)</p></li>
+<li><p>Project Professional 2016 (C2R-P)</p></li>
+<li><p>Project Standard 2016 (C2R-P)</p></li>
+</ul></td>
+<td align="left"><p>Office Deployment Tool</p></td>
+<td align="left"><p>Volume Licensing</p></td>
+<td align="left"><ul>
+<li><p>Desktop</p></li>
+<li><p>Personal VDI</p></li>
+<li><p>Pooled VDI</p></li>
+<li><p>RDS</p></li>
+</ul></td>
+</tr>
+<tr class="odd">
 <td align="left"><p>Office Professional Plus 2013</p>
 <p>Also supported:</p>
 <ul>
@ -89,12 +104,9 @@ The following table lists the versions of Microsoft Office that App-V supports,
 </tbody>
 </table>

- 
-
 ## <a href="" id="bkmk-plan-coexisting"></a>Planning for using App-V with coexisting versions of Office

-
-You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSi) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
+You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSI) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.

 Microsoft’s recommended best practice is to avoid Office coexistence completely to prevent compatibility issues. However, when you are migrating to a newer version of Office, issues occasionally arise that can’t be resolved immediately, so you can temporarily implement coexistence to help facilitate a faster migration to the latest product version. Using Office coexistence on a long-term basis is never recommended, and your organization should have a plan to fully transition in the immediate future.

@ -115,19 +127,22 @@ Before implementing Office coexistence, review the following Office documentatio
 </thead>
 <tbody>
 <tr class="odd">
+<td align="left"><p>Office 2016</p></td>
+<td align="left"><p>[Information about how to use Outlook 2016 or 2013 and an earlier version of Outlook installed on the same computer](https://support.microsoft.com/kb/2782408)</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Office 2013</p></td>
 <td align="left"><p>[Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)</p></td>
 </tr>
-<tr class="even">
+<tr class="odd">
 <td align="left"><p>Office 2010</p></td>
 <td align="left"><p>[Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)</p></td>
 </tr>
 </tbody>
 </table>

- 

-The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
+The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.

 ### Supported Office coexistence scenarios

@ -166,11 +181,13 @@ The Windows Installer-based and Click-to-Run Office installation methods integra
 <td align="left"><p>Office 2013</p></td>
 <td align="left"><p>Always integrated. Windows operating system integrations cannot be disabled.</p></td>
 </tr>
+<tr class="even">
+<td align="left"><p>Office 2016</p></td>
+<td align="left"><p>Always integrated. Windows operating system integrations cannot be disabled.</p></td>
+</tr>
 </tbody>
 </table>

- 
-
 Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069).

 ### Known limitations of Office coexistence scenarios
@ -183,9 +200,9 @@ The following limitations can occur when you install the following versions of O

 -   Office 2010 by using the Windows Installer-based version

-   Office 2013 by using App-V
+-   Office 2013 or Office 2016 by using App-V

-After you publish Office 2013 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010 might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
+After you publish Office 2013 or Office 2016 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010, it might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.

 To bypass the auto-registration operation for native Word 2010, follow these steps:

@ -215,12 +232,13 @@ To bypass the auto-registration operation for native Word 2010, follow these ste

 8.  On the File menu, click **Exit** to close Registry Editor.

+
+
 ## <a href="" id="bkmk-office-integration-win"></a>How Office integrates with Windows when you use App-V to deploy Office

+When you deploy Office 2013 or Office 2016 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.

-When you deploy Office 2013 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
-
-The Office 2013 App-V package supports the following integration points with the Windows operating system:
+The Office 2013 or Office 2016 App-V package supports the following integration points with the Windows operating system:

 <table>
 <colgroup>
@ -235,8 +253,8 @@ The Office 2013 App-V package supports the following integration points with the
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Lync meeting Join Plug-in for Firefox and Chrome</p></td>
-<td align="left"><p>User can join Lync meetings from Firefox and Chrome</p></td>
+<td align="left"><p>Skype for Business (formerly Lync) meeting Join Plug-in for Firefox and Chrome</p></td>
+<td align="left"><p>User can join Skype meetings from Firefox and Chrome</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Sent to OneNote Print Driver</p></td>
@ -251,8 +269,8 @@ The Office 2013 App-V package supports the following integration points with the
 <td align="left"><p>User can send to OneNote from IE</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
-<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
+<td align="left"><p>Firewall Exception for Skype for Business (formerly Lync) and Outlook</p></td>
+<td align="left"><p>Firewall Exception for Skype for Business (formerly Lync) and Outlook</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>MAPI Client</p></td>
@ -307,6 +325,6 @@ Add or vote on suggestions on the [Application Virtualization feedback site](htt

 ## Related topics

+- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
 - [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
-
 - [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@ -12,6 +12,12 @@ author: jdeckerMS

 This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).

+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Windows 10 IoT Mobile |
+
 ## October 2016

 | New or changed topic | Description |
@ -19,7 +25,9 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | [Manage device restarts after updates](waas-restart.md) | New |
 | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)  | New |
 | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
+| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | 
 | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |


 ## September 2016
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@ -201,7 +201,7 @@ The data gathered at this level includes:
 -   **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.

    > [!NOTE]  
-    > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+    > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).

    Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.

--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@ -67,7 +67,7 @@ The GPO applies the Start and taskbar layout at the next user sign-in. Each time

 The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.

-The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start and the taskbar are not customized during the session, and the user can make changes to Start.
+The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar.

 For information about deploying GPOs in a domain, see [Working with Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620889).

--- a/windows/manage/images/waas-rings.png
+++ b/windows/manage/images/waas-rings.png
--- a/windows/manage/images/waas-wufb-gp-cb2-settings.png
+++ b/windows/manage/images/waas-wufb-gp-cb2-settings.png
--- a/windows/manage/images/waas-wufb-gp-cbb2-settings.png
+++ b/windows/manage/images/waas-wufb-gp-cbb2-settings.png
--- a/windows/manage/images/waas-wufb-gp-scope.png
+++ b/windows/manage/images/waas-wufb-gp-scope.png
--- a/windows/manage/images/waas-wufb-intune-cbb2a.png
+++ b/windows/manage/images/waas-wufb-intune-cbb2a.png
--- a/Show More
+++ b/Show More