Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into vso-9235427

devices/hololens/hololens-provisioning.md

@@ -101,7 +101,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 
 Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
 
-In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens.
+In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
 
 ![Common runtime settings for HoloLens](images/icd-settings.png)
 

windows/deploy/troubleshoot-upgrade-analytics.md

@@ -1,4 +1,4 @@
----
+---
 title: Troubleshoot Upgrade Analytics (Windows 10)
 description: Provides troubleshooting information for Upgrade Analytics.
 ms.prod: w10
@@ -25,9 +25,14 @@ If you still don’t see data in Upgrade Analytics, follow these steps:
 
 If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
 
-1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal.
+1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
 
-2.  Disable the Customer Experience Improvement Program on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to Security.
+  ![Upgrade Analytics unsubscribe](images/upgrade-analytics-unsubscribe.png)
 
-3.  Delete the CommercialDataOptin key in *HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection*
+2.  Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
 
+  **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
+  **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
+
+3.	If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0".  The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
+4.	You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.

windows/deploy/windows-10-poc.md

@@ -840,7 +840,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Restart-Computer
     </pre>
 
-    >If you do not see the script pane, click **View** and then click **Show Script Pane Top**.
+    >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. 
     
     See the following example:
 
@@ -853,7 +853,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
     </pre>
 
-    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service. Otherwise, just create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. Be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service. 
+    
+    If the copy-vmfile command does not work and you cannot properly upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
 
 21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
 
@@ -968,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days.  To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
 
     <pre style="overflow-y: visible">
-    runas /noprofile /env /user:administrator@contoso.com "cmd slmgr -rearm"
+    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
     Restart-Computer
     </pre>
 
@@ -993,6 +995,8 @@ Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
 Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
 </pre>
 
+This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+
 ## Appendix A: Verify the configuration
 
 Use the following procedures to verify that the PoC environment is configured properly and working as expected.

windows/keep-secure/TOC.md

@@ -31,6 +31,7 @@
 ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
+#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
 ### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 ### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
 ### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 ## January 2017
 |New or changed topic |Description |
 |---------------------|------------|
+|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New |
 |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
 |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
 |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |

windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -26,13 +26,14 @@ The credentials are put in Credential Manager as a "`*Session`" credential.
 A "`*Session`" credential implies that it is valid for the current user session. 
 The credentials are also cleaned up when the WiFi or VPN connection is disconnected. 
 
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
 For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). 
 
-WinInit.exe will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
+WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
 If the app is not UWP, it does not matter. 
 But if it is a UWP app, it will look at the device capability for Enterprise Authentication. 
 If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
+This behavior helps prevent credentials from being misused by untrusted third parties.  
 
 ## Intranet zone
 
@@ -68,9 +69,26 @@ The username should also include a domain that can be reached over the connectio
 
 If the credentials are certificate-based, then the elements in the following table need to be configured for the certificate templates to ensure they can also be used for Kerberos client authentication.
 
-| TEmplate element | Configuration |
+| Template element | Configuration |
 |------------------|---------------|
 | SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. |
 | SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.</br>This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
-| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. This certificate must be issued using the PassportForWork CSP. |
-| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for PassportForWork)</br>- SmartCardLogon (for Azure AD joined devices)</br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)</br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
+| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
+| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for Windows Hello for Business)</br>- SmartCardLogon (for Azure AD joined devices)</br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)</br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
+
+## NDES server configuration
+
+The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used. 
+For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/en-us/intune/deploy-use/Configure-certificate-infrastructure-for-scep). 
+
+## Active Directory requirements
+
+You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well. 
+
+The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
+
+The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. 
+This is because Windows 10 Mobile requires strict KDC validation to be enabled. 
+This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server. 
+For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382). 
+

windows/keep-secure/overview-create-wip-policy.md

@@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
 |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/wip-app-enterprise-context.md

@@ -0,0 +1,55 @@
+---
+title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
+description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.
+
+## Viewing the Enterprise Context column in Task Manager
+You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
+
+1. Make sure that you have an active WIP policy deployed and turned on in your organization.
+
+2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
+
+    The **Select columns** box appears.
+
+    ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png)
+
+3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
+
+    The **Enterprise Context** column should now be available in Task Manager.
+
+    ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png)
+
+## Review the Enterprise Context
+The **Enterprise Context** column shows you what each app can do with your enterprise data:
+
+- **Domain.** Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-related and can freely touch and open work data and resources.
+
+- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
+
+- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
+
+    >[!IMPORTANT]
+    >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
+
+
+
+
+
+