diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 680e73b52a..05fc597867 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -9,109 +9,123 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros)
localizationpriority: high
---
-# Available policies for Microsoft Edge
+# Available Group Policy and Mobile Data Management (MDM) settings policies for Microsoft Edge
**Applies to:**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10, Windows Insider Program
+- Windows 10 Mobile, Windows Insider Program
Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
-> **Note**
-> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
+> [!NOTE]
+> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
## Group Policy settings
Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
-| Policy name |Supported versions |Description |Options |
+|Policy name|Supported versions|Description|Options|
|-------------|------------|-------------|--------|
-|Allow Developer Tools |Windows 10, Version 1511 or later |This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.
If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.
If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. |**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.
**Disabled:** Hides the F12 Developer Tools on Microsoft Edge. | -|Allow InPrivate browsing |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can browse using InPrivate website browsing.
If you enable or don’t configure this setting, employees can use InPrivate website browsing.
If you disable this setting, employees can’t use InPrivate website browsing. |**Enabled or not configured (default):** Lets employees use InPrivate website browsing.
**Disabled:** Stops employees from using InPrivate website browsing. | -|Allow web content on New Tab page |Windows 10 or later |This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.
If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
If you disable this setting, Microsoft Edge opens a new tab with a blank page.
If you don’t configure this setting, employees can choose how new tabs appears. |**Not configured (default):** Employees see web content on New Tab page, but can change it.
**Enabled:** Employees see web content on New Tab page.
**Disabled:** Employees always see an empty new tab. | -|Configure Autofill |Windows 10 or later |This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.
If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.
If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.
If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. |**Not configured (default):** Employees can choose to turn Autofill on or off.
**Enabled:** Employees can use Autofill to complete form fields.
**Disabled:** Employees can’t use Autofill to complete form fields. | -|Configure cookies |Windows 10 or later|This setting lets you configure how to work with cookies.
If you enable this setting, you must also decide whether to:
If you disable or don't configure this setting, all cookies are allowed from all sites. |**Enabled:** Lets you decide how your company treats cookies.
If you use this option, you must also choose whether to:
**Disabled or not configured:** All cookies are allowed from all sites.| -|Configure Do Not Track |Windows 10 or later |This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.
If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.
If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.
If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. |**Not configured (default):** Employees can choose to send Do Not Track headers on or off.
**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.
**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info. | -|Allow Extensions |Windows 10, Version 1607 or later |This policy setting lets you decide whether employees can use Edge Extensions.
If you enable or don’t configure this setting, employees can use Edge Extensions.
If you disable this setting, employees can’t use Edge Extensions. |**Enabled or not configured:** Lets employees use Edge Extensions.
**Disabled:** Stops employees from using Edge Extensions. | -|Configure Favorites |Windows 10, Version 1511 or later |This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.
If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.
If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. |**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.
**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub. | -|Configure Home pages |Windows 10, Version 1511 or later |This policy setting lets you configure one or more Home pages. for domain-joined devices. Your employees won't be able to change this after you set it.
If you enable this setting, you can configure one or more Home pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: If you disable or don’t configure this setting, your default Home page is the webpage specified in App settings. |**Enabled:** Configure your Home pages. If you use this option, you must also include site URLs. **Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings. |
-|Configure Password Manager |Windows 10 or later |This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. If you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting, employees can’t use Password Manager to save their passwords locally. If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. |**Not configured:** Employees can choose whether to use Password Manager. **Enabled (default):** Employees can use Password Manager to save passwords locally. **Disabled:** Employees can't use Password Manager to save passwords locally. |
-|Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows. **Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. |
-|Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. **Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge. **Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. |
-|Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on. If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off. If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on. If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter. **Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software. **Disabled:** Turns off SmartScreen Filter. |
-|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured. If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11. **Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
-|Prevent access to the about:flags page |Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. If you enable this policy setting, employees can’t access the about:flags page. If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page. **Disabled or not configured (default):** Lets employees use the about:flags page. |
-|Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files. If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files. If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files. **Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. |
-|Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites. If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site. If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites. **Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. |
-|Prevent using Localhost IP address for WebRTC |Windows 10, Version 1511 or later |This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol. If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol. |**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol. **Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol. |
-|Send all intranet sites to Internet Explorer 11 |Windows 10 or later |This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge. |**Enabled:** Automatically opens all intranet sites using Internet Explorer 11. **Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge. |
-|Show message when opening sites in Internet Explorer |Windows 10, Version 1607 and later |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. **Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. |
+|Allow Address bar drop-down list suggestions|Windows 10, Windows Insider Program|This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. **Note** If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge. If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".|**Enabled or not configured (default):** Employees can see the Address bar drop-down functionality in Microsoft Edge. **Disabled:** Employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".|
+|Allow Adobe Flash|Windows 10 or later|This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. If you enable or don't configure this setting, employees can use Adobe Flash. If you disable this setting, employees can't use Adobe Flash.|**Enabled or not configured (default):** Employees use Adobe Flash in Microsoft Edge. **Disabled:** Employees can’t use Adobe Flash.|
+|Allow clearing browsing data on exit|Windows 10, Windows Insider Program|This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. If you enable this policy setting, clearing browsing history on exit is turned on. If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.|**Enabled:** Turns on the automatic clearing of browsing data when Microsoft Edge closes. **Disabled or not configured (default):** Employees can turn on and configure whether to automatically clear browsing data when Microsoft Edge closes in the Clear browsing data options area under Settings.|
+|Allow Developer Tools|Windows 10, Version 1511 or later|This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge. If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.|**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge. **Disabled:** Hides the F12 Developer Tools on Microsoft Edge.|
+|Allow Extensions|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can use Edge Extensions. If you enable or don’t configure this setting, employees can use Edge Extensions. If you disable this setting, employees can’t use Edge Extensions.|**Enabled or not configured:** Lets employees use Edge Extensions. **Disabled:** Stops employees from using Edge Extensions.|
+|Allow InPrivate browsing|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can browse using InPrivate website browsing. If you enable or don’t configure this setting, employees can use InPrivate website browsing. If you disable this setting, employees can’t use InPrivate website browsing.|**Enabled or not configured (default):** Lets employees use InPrivate website browsing. **Disabled:** Stops employees from using InPrivate website browsing.|
+|Allow Microsoft Compatibility List|Windows 10, Version 1607 or later|This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation.|**Enabled or not configured (default):** Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. **Disabled:** Microsoft Edge doesn’t use the Microsoft Compatibility List during browser navigation.|
+|Allow search engine customization|Windows 10, Windows Insider Program|This policy setting lets you decide whether users can change their search engine. **Important** If you enable or don't configure this policy, users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. If you disable this setting, users can't add search engines or change the default used in the address bar.|**Enabled or not configured (default):** Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. **Disabled:** Employees can't add search engines or change the default used in the Address bar.|
+|Allow web content on New Tab page|Windows 10 or later|This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it. If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you don’t configure this setting, employees can choose how new tabs appears.|**Not configured (default):** Employees see web content on New Tab page, but can change it. **Enabled:** Employees see web content on New Tab page. **Disabled:** Employees always see an empty new tab.|
+|Configure additional search engines|Windows 10, Windows Insider Program|This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting. **Important** If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add: If you disable this setting, any added search engines are removed from your employee's devices. If you don't configure this setting, the search engine list is set to what is specified in App settings.|**Enabled:** Add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. **Disabled (default):** Any additional search engines are removed from your employee's devices. **Not configured:** Search engine list is set to what is specified in App settings.|
+|Configure Autofill|Windows 10 or later|This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge. If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.|**Not configured (default):** Employees can choose to turn Autofill on or off. **Enabled:** Employees can use Autofill to complete form fields. **Disabled:** Employees can’t use Autofill to complete form fields.|
+|Configure cookies|Windows 10 or later|This setting lets you configure how to work with cookies. If you enable this setting, you must also decide whether to: If you disable or don't configure this setting, all cookies are allowed from all sites.|**Enabled:** Lets you decide how your company treats cookies. **Disabled or not configured:** All cookies are allowed from all sites.|
+|Configure Do Not Track|Windows 10 or later|This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests. If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info. If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info.|**Not configured (default):** Employees can choose to send Do Not Track headers on or off. **Enabled:** Employees can send Do Not Track requests to websites requesting tracking info. **Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info.|
+|Configure Favorites|Windows 10, Version 1511 or later|This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed. If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub.|**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites. **Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub.|
+|Configure Password Manager|Windows 10 or later|This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. If you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting, employees can’t use Password Manager to save their passwords locally. If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally.|**Not configured:** Employees can choose whether to use Password Manager. **Enabled (default):** Employees can use Password Manager to save passwords locally. **Disabled:** Employees can't use Password Manager to save passwords locally.|
+|Configure Pop-up Blocker|Windows 10 or later|This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. If you don’t configure this setting, employees can choose whether to use Pop-up Blocker.|**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows. **Disabled:** Turns off Pop-up Blocker, allowing pop-up windows.|
+|Configure search suggestions in Address bar|Windows 10 or later|This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.|**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. **Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge. **Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge.|
+|Configure Start pages|Windows 10, Version 1511 or later|This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: If you disable or don’t configure this setting, your default Start page is the webpage specified in App settings.|**Enabled:** Configure your Start pages. If you use this option, you must also include site URLs. **Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings.|
+|Configure the Adobe Flash Click-to-Run setting|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. **Important** If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.|**Enabled or not configured:** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. **Disabled:** Adobe Flash content is automatically loaded and run by Microsoft Edge.|
+|Configure the Enterprise Mode Site List|Windows 10 or later|This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured. If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11. **Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
+|Configure Windows Defender SmartScreen|Windows 10 or later|This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off. If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on. If you don’t configure this setting, employees can choose whether to use Windows Defender SmartScreen.|**Not configured (default):** Employees can choose whether to use Windows Defender SmartScreen. **Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software. **Disabled:** Turns off Windows Defender SmartScreen.|
+|Disable lockdown of Start pages|Windows 10, Windows Insider Program|This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect. **Note** **Important** If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them. If you disable or don't configure this setting, employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.|**Enabled:** You’re unable to lock down any Start pages that are configured using the "Configure Start pages" setting, which means that your employees can modify them. **Disabled or not configured (default):** Employees can't change any Start pages configured using the "Configure Start pages" setting.|
+|Keep favorites in sync between Internet Explorer and Microsoft Edge|Windows 10, Windows Insider Program|This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge. If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge.|**Enabled:** Employees can sync their Favorites between Internet Explorer and Microsoft Edge. **Disabled or not configured (default):** Employees can’t sync their Favorites between Internet Explorer and Microsoft Edge.|
+|Prevent access to the about:flags page|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. If you enable this policy setting, employees can’t access the about:flags page. If you disable or don’t configure this setting, employees can access the about:flags page.|**Enabled:** Stops employees from using the about:flags page. **Disabled or not configured (default):** Lets employees use the about:flags page.|
+|Prevent bypassing Windows Defender SmartScreen prompts for files|Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files. If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files. **Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.|
+|Prevent bypassing Windows Defender SmartScreen prompts for sites|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site. If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about potentially malicious sites. **Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about potentially malicious sites and continue to the site.|
+|Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|Windows 10, Windows Insider Program|This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|**Enabled:** Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. **Disabled or not configured (default):** Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|
+|Prevent the First Run webpage from opening on Microsoft Edge|Windows 10, Windows Insider Program|This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time.|**Enabled:** Employees won't see the First Run page when opening Microsoft Edge for the first time. **Disabled or not configured (default):** Employees will see the First Run page when opening Microsoft Edge for the first time.|
+|Prevent using Localhost IP address for WebRTC|Windows 10, Version 1511 or later|This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol. If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol.|**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol. **Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol.|
+|Send all intranet sites to Internet Explorer 11|Windows 10 or later|This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge.|**Enabled:** Automatically opens all intranet sites using Internet Explorer 11. **Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge.|
+|Set default search engine|Windows 10, Windows Insider Program|This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. **Important** If you enable this setting, you can choose a default search engine for your employees. If this setting is enabled, you must also add the default engine to the “Set default search engine” setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add: **Note** If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market. If you don't configure this setting, the default search engine is set to the one specified in App settings.|**Enabled:** You can choose a default search engine for your employees. **Disabled:** The policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market. **Not configured (default):** The default search engine is set to the one specified in App settings.|
+|Show message when opening sites in Internet Explorer|Windows 10, Version 1607 and later|This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears.|**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. **Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.|
-## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
+## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
-> **Note** **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. **Example:** **Note** **Example:** **Example:** **Note** If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. **Example:** **Note** **Example:** **Example:** **Disabled:** Stops employees from using Cortana on their devices. **Note** Employees can still perform searches even with Cortana turned off. |
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync |Whether employees can use the **Sync your Settings** options to sync their settings to and from their device. |**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device. |
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings |Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites. |**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device. |
+|Group Policy setting|Description|Options|
+|--------------------|--------------|---------|
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Whether employees can use Cortana.|**Enabled or not configured:** Employees can use Cortana on their devices. **Disabled:** Stops employees from using Cortana on their devices. **Note** Employees can still perform searches even with Cortana turned off.|
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync|Whether employees can use the **Sync your Settings** options to sync their settings to and from their device.|**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device.|
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings|Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites.|**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting. **Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device.|
## Microsoft Edge and Windows 10-specific MDM policy settings
These are additional Windows 10-specific MDM policy settings that work with Microsoft Edge.
-|MDM Policy name |Supports |Details |
-|----------------|--------------|------------------- |
-|AllowCortana |Both |
-[Windows 10 editions for education customers](windows-editions-for-education-customers.md) [Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) [Windows 10 editions for education customers](windows-editions-for-education-customers.md) [Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) [Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
-[Provisioning options for Windows 10](set-up-windows-10.md)
+[Provisioning options for Windows 10](set-up-windows-10.md)
[Get Minecraft Education Edition](get-minecraft-for-education.md) [Take tests in Windows 10](take-tests-in-windows-10.md) [Chromebook migration guide](chromebook-migration-guide.md) [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
- [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
- [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) Try it out: Windows 10 deployment (for education) [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) Windows 8.1 deployment planning Windows 8.1 deployment to PCs BYOD Deploying Windows RT 8.1 Virtual Desktop Infrastructure Windows Store apps Windows To Go Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. |
+| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978) Important: Important: Notes: Important: Important: Notes: [Windows Store for Business](windows-store-for-business.md) Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. [Windows Libraries](windows-libraries.md) Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music). [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).
`
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
`
If you use this option, you must also choose whether to:
`
Sites are put on the auto-allowed list based on how frequently employees load and run the content.
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
This setting only applies when you're using the “Configure Start pages" setting.
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
`https://fabrikam.com/opensearch.xml`
If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
+> [!NOTE]
> The **Supports** column uses these options:
-
-- **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
-
-- **Mobile.** Supports Windows 10 Mobile devices only.
-
-- **Both.** Supports both desktop and mobile devices.
+> - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
+> - **Mobile.** Supports Windows 10 Mobile devices only.
+> - **Both.** Supports both desktop and mobile devices.
All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy.
-| Policy name |Supported versions |Supported device |Details |
+|Policy name|Supported versions|Supported device|Details|
|-------------|-------------------|-----------------|--------|
-|AllowAutofill|Windows 10 or later |Desktop |
-|AllowBrowser |Windows 10 or later |Mobile |
|
-|AllowCookies |Windows 10 or later |Both |
|
-|AllowDeveloperTools |Windows 10, Version 1511 or later |Desktop |
|
-|AllowDoNotTrack |Windows 10 or later |Both |
|
-|AllowExtensions |Windows 10, Version 1607 and later |Desktop |
|
-|AllowInPrivate |Windows 10, Version 1511 or later |Both |
|
-|AllowPasswordManager |Windows 10 or later |Both |
|
-|AllowPopups |Windows 10 or later |Desktop |
|
-|AllowSearchSuggestions
inAddressBar |Windows 10 or later |Both |
|
-|AllowSmartScreen |Windows 10 or later |Both |
|
-|EnterpriseModeSiteList |Windows 10 or later |Desktop |
|
-|Favorites |Windows 10, Version 1511 or later |Both |
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
|
-|FirstRunURL |Windows 10, Version 1511 or later |Mobile |
`
`
URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
|
-|HomePages |Windows 10, Version 1511 or later |Desktop |
`
|
-|PreventAccessToAbout
`
FlagsInMicrosoftEdge |Windows 10, Version 1607 and later |Desktop |
|
-|PreventSmartScreen
PromptOverride |Windows 10, Version 1511 or later |Both |
|
-|PreventSmartScreen
PromptOverrideFor
Files |Windows 10, Version 1511 or later |Both |
|
-|PreventUsingLocalHost
IPAddressForWebRTC |Windows 10, Version 1511 or later |Desktop |
|
-|SendIntranetTraffic
toInternetExplorer |Windows 10 or later |Desktop |
|
-|ShowMessageWhen
OpeningInteretExplorer
Sites |Windows 10, Version 1607 and later |Desktop |
|
+|AllowAddressBarDropdown|Windows 10, Windows Insider Program|Desktop|
|
+|AllowAutofill|Windows 10 or later|Desktop|
|
+|AllowBrowser|Windows 10 or later|Mobile|
|
+|AllowCookies|Windows 10 or later|Both|
|
+|AllowDeveloperTools|Windows 10, Version 1511 or later|Desktop|
|
+|AllowDoNotTrack|Windows 10 or later|Both|
|
+|AllowExtensions|Windows 10, Version 1607 and later|Desktop|
|
+|AllowFlash|Windows 10 or later|Desktop|
|
+|AllowFlashClickToRun|Windows 10, Windows Insider Program|Desktop|
|
+|AllowInPrivate|Windows 10, Version 1511 or later|Both|
|
+|AllowMicrosoftCompatibilityList|Windows 10, Windows Insider Program|Both|
|
+|AllowPasswordManager|Windows 10 or later|Both|
|
+|AllowPopups|Windows 10 or later|Desktop|
|
+|AllowSearchEngineCustomization|Windows 10, Windows Insider Program|Both|
|
+|AllowSearchSuggestions
inAddressBar|Windows 10 or later|Both|
|
+|AllowSmartScreen|Windows 10 or later|Both|
|
+|ClearBrowsingDataOnExit|Windows 10, Windows Insider Program|Both|
|
+|ConfigureAdditionalSearchEngines|Windows 10, Windows Insider Program|Both|
|
+|DisableLockdownOfStartPages|Windows 10, Windows Insider Program|Desktop|
|
+|EnterpriseModeSiteList|Windows 10 or later|Desktop|
|
+|Favorites|Windows 10, Version 1511 or later|Both|
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
|
+|FirstRunURL|Windows 10, Version 1511 or later|Mobile|
`
`
URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
|
+|HomePages|Windows 10, Version 1511 or later|Desktop|
`
|
+|PreventAccessToAbout
`
FlagsInMicrosoftEdge|Windows 10, Version 1607 and later|Desktop|
|
+|PreventFirstRunPage|Windows 10, Windows Insider Program|Both|
|
+|PreventLiveTileDataCollection|Windows 10, Windows Insider Program|Both|
|
+|PreventSmartScreenPromptOverride|Windows 10, Version 1511 or later|Both|
|
+|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 or later|Both|
|
+|PreventUsingLocalHost
IPAddressForWebRTC|Windows 10, Version 1511 or later|Desktop|
|
+|SendIntranetTraffic
toInternetExplorer|Windows 10 or later|Desktop|
|
+|SetDefaultSearchEngine|Windows 10, Windows Insider Program|Both|
|
+|ShowMessageWhen
OpeningInteretExplorer
Sites|Windows 10, Version 1607 and later|Desktop|
|
+|SyncFavoritesBetweenIEAndMicrosoftEdge|Windows 10, Windows Insider Program|Desktop|
|
+
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
-|Group Policy setting |Description |Options |
-| --------------------|--------------|---------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Whether employees can use Cortana. |**Enabled or not configured:** Employees can use Cortana on their devices.
|
-|AllowSyncMySettings |Desktop |
|
+|MDM Policy name|Supports|Details|
+|----------------|--------------|-------------------|
+|AllowCortana|Both|
|
+|AllowSyncMySettings|Desktop|
|
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
-* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
-
-
-
-
-
-
-
-
+* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
\ No newline at end of file
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index f188b5e0ee..9501635fa9 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -12,6 +12,11 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
+## February 2017
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. |
+
## November 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index 4cabfa693f..fefb61f858 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -29,7 +29,7 @@ If you're having trouble deciding whether Microsoft Edge is good for your organi

[Click to enlarge](img-microsoft-edge-infographic-lg.md)
-[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892)
### Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@@ -50,10 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics
-- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
-- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
+- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie)
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
-- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
\ No newline at end of file
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
\ No newline at end of file
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 06b5f7dd0a..d229e05de5 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -277,7 +277,7 @@ Changes to volume levels can be sent by a room control system, or other system.
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index c2c0340c07..f47b4a68e2 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -12,7 +12,6 @@
## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
-### [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
### [Take a Test app technical reference](take-a-test-app-technical.md)
## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 0bc2dc5bbc..e83f98b49f 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
---
# Change history for Windows 10 for Education
diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md
index 64a6208970..c2df9fb7ba 100644
--- a/education/windows/create-tests-using-microsoft-forms.md
+++ b/education/windows/create-tests-using-microsoft-forms.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
+redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms
---
# Create tests using Microsoft Forms
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 200b8a1ce9..91345b72c1 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -5,7 +5,7 @@ keywords: school
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: jdeckerMS
+author: trudyha
---
# Get Minecraft: Education Edition
diff --git a/education/windows/images/take_a_test_flow.png b/education/windows/images/take_a_test_flow.png
new file mode 100644
index 0000000000..261813c7f8
Binary files /dev/null and b/education/windows/images/take_a_test_flow.png differ
diff --git a/education/windows/images/take_a_test_workflow.png b/education/windows/images/take_a_test_workflow.png
new file mode 100644
index 0000000000..a4c7a84686
Binary files /dev/null and b/education/windows/images/take_a_test_workflow.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 549abcd666..9554614c4c 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -14,42 +14,76 @@ author: CelesteDG
# Windows 10 for Education
-##  Learn
+## Windows 10
+
+###  Learn
Command
State change
-Response
+Response(On in [Replacement PC mode](connect-and-display-with-surface-hub.md#replacement-pc-mode))
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Find out more about the features and functionality we support in each edition of Windows.
When you've made your decision, find out how to buy Windows for your school.
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Find out more about the features and functionality we support in each edition of Windows.
When you've made your decision, find out how to buy Windows for your school.
Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.
Depending on your school's device management needs, you can use **Set up School PCs** or the *Provision school devices* option in **Windows Imaging and Configuration Designer** to quickly set up student PCs.
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
-[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
-[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
-[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
-[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
-[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md
new file mode 100644
index 0000000000..de269889bf
--- /dev/null
+++ b/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md
@@ -0,0 +1,43 @@
+---
+title: Manage Windows upgrades with Upgrade Readiness (Windows 10)
+description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Manage Windows upgrades with Upgrade Readiness
+
+Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
+
+With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) model.
+
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+
+With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
+[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
+[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
+[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)
+[Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md)
diff --git a/windows/deploy/troubleshoot-upgrade-analytics.md b/windows/deploy/troubleshoot-upgrade-analytics.md
index 03c096cc19..dc7f8428f2 100644
--- a/windows/deploy/troubleshoot-upgrade-analytics.md
+++ b/windows/deploy/troubleshoot-upgrade-analytics.md
@@ -1,38 +1,4 @@
---
title: Troubleshoot Upgrade Analytics (Windows 10)
-description: Provides troubleshooting information for Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: troubleshoot-upgrade-readiness
---
-
-# Troubleshoot Upgrade Analytics
-
-If you’re having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
-
-If you still don’t see data in Upgrade Analytics, follow these steps:
-
-1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
-
-2. Edit the script as described in [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md).
-
-3. Check that isVerboseLogging is set to $true.
-
-4. Run the script again. Log files will be saved to the directory specified in the script.
-
-5. Open a support case with Microsoft Support through your regular channel and provide this information.
-
-## Disable Upgrade Analytics
-
-If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
-
-1. Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
-
- 
-
-2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
-
- **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
- **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
-
-3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
-4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.
diff --git a/windows/deploy/troubleshoot-upgrade-readiness.md b/windows/deploy/troubleshoot-upgrade-readiness.md
new file mode 100644
index 0000000000..700408bdd6
--- /dev/null
+++ b/windows/deploy/troubleshoot-upgrade-readiness.md
@@ -0,0 +1,38 @@
+---
+title: Troubleshoot Upgrade Readiness (Windows 10)
+description: Provides troubleshooting information for Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Troubleshoot Upgrade Readiness
+
+If you’re having issues seeing data in Upgrade Readiness after running the Upgrade Readiness Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
+
+If you still don’t see data in Upgrade Readiness, follow these steps:
+
+1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
+
+2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).
+
+3. Check that isVerboseLogging is set to $true.
+
+4. Run the script again. Log files will be saved to the directory specified in the script.
+
+5. Open a support case with Microsoft Support through your regular channel and provide this information.
+
+## Disable Upgrade Readiness
+
+If you want to stop using Upgrade Readiness and stop sending telemetry data to Microsoft, follow these steps:
+
+1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
+
+ 
+
+2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
+
+ **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*
+ **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic.
+
+3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
+4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**.
diff --git a/windows/deploy/upgrade-analytics-additional-insights.md b/windows/deploy/upgrade-analytics-additional-insights.md
index fd99d97682..610f432142 100644
--- a/windows/deploy/upgrade-analytics-additional-insights.md
+++ b/windows/deploy/upgrade-analytics-additional-insights.md
@@ -1,81 +1,5 @@
---
title: Upgrade Analytics - Additional insights
-description: Explains additional features of Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-analytics-additional-insights
---
-# Upgrade Analytics - Additional insights
-
-This topic provides information on additional features that are available in Upgrade Analytics to provide insights into your environment. These include:
-
-- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7 or Windows 8.1 using Internet Explorer.
-- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
-
-## Site discovery
-
-The site discovery feature in Upgrade Analytics provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
-
-> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
-
-### Install prerequisite security update for Internet Explorer
-
-Ensure the following prerequisites are met before using site discovery:
-
-1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
-2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
-3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) to allow Internet Explorer data collection before you run it.
-
- If necessary, you can also enable it by creating the following registry entry.
-
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
-
- Entry name: IEDataOptIn
-
- Data type: DWORD
-
- Values:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
- For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
-
- 
-
-### Review most active sites
-
-This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
-
-For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
-
-
-
-Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
-
-
-
-### Review document modes in use
-
-This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
-
-
-
-### Run browser-related queries
-
-You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
-
-
-
-## Office add-ins
-
-Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator.
-
-## Related topics
-
-[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
diff --git a/windows/deploy/upgrade-analytics-architecture.md b/windows/deploy/upgrade-analytics-architecture.md
index e7e639105a..d1ab6fecdb 100644
--- a/windows/deploy/upgrade-analytics-architecture.md
+++ b/windows/deploy/upgrade-analytics-architecture.md
@@ -1,30 +1,4 @@
---
title: Upgrade Analytics architecture (Windows 10)
-description: Describes Upgrade Analytics architecture.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-architecture
---
-
-# Upgrade Analytics architecture
-
-Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Analytics components work together in a typical installation.
-
-
-
-
-
-After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Analytics, telemetry data is analyzed by the Upgrade Analytics Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Analytics solution (5) to plan and manage Windows upgrades.
-
-For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
-
-[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-
-##**Related topics**
-
-[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
-[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
-[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
diff --git a/windows/deploy/upgrade-analytics-deploy-windows.md b/windows/deploy/upgrade-analytics-deploy-windows.md
index 57b8c26f7f..76c41c573a 100644
--- a/windows/deploy/upgrade-analytics-deploy-windows.md
+++ b/windows/deploy/upgrade-analytics-deploy-windows.md
@@ -1,97 +1,4 @@
---
title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10)
-description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-deploy-windows
---
-
-# Upgrade Analytics - Step 3: Deploy Windows
-
-All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
-The blades in the **Deploy** section are:
-
-- [Deploy eligible computers](#deploy-eligible-computers)
-- [Deploy computers by group](#computer-groups)
-
->Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment).
-
-## Deploy eligible computers
-
-In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways:
-- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**.
-- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**.
-- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met.
-
-
-
-
-
-Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
-
->**Important**
When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
-
-## Computer groups
-
-Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/).
-
-Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Analytics Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS.
-
-### Getting started with Computer Groups
-
-When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
-
-
-
-To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
-
-```
-Type=UAComputer Manufacturer=DELL
-```
-
-
-
-When you are satisfied that the query is returning the intended results, add the following text to your search:
-
-```
-| measure count() by Computer
-```
-
-This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
-
-
-
-Your new computer group will now be available in Upgrade Analytics. See the following example:
-
-
-
-### Using Computer Groups
-
-When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
-
-
-
-Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
-
-
-
-Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
-
-
-
-A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
-
-### Upgrade assessment
-
-Upgrade assessment and guidance details are explained in the following table.
-
-| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
-|-----------------------|------------------------------------------------|----------|-----------------|---------------|
-| No known issues | No | None | Computers will upgrade seamlessly.
| OK to use as-is in pilot. |
-| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
-| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.
If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.
|
-
-Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
-
->**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-deployment-script.md b/windows/deploy/upgrade-analytics-deployment-script.md
index a189c5290f..0db5694e53 100644
--- a/windows/deploy/upgrade-analytics-deployment-script.md
+++ b/windows/deploy/upgrade-analytics-deployment-script.md
@@ -1,101 +1,4 @@
---
title: Upgrade Analytics deployment script (Windows 10)
-description: Deployment script for Upgrade Analytics.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-# Upgrade Analytics deployment script
-
-To automate the steps provided in [Get started with Upgrade Analytics](upgrade-analytics-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
-
-For detailed information about using the upgrade analytics deployment script, also see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
-
-> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
-
-The Upgrade Analytics deployment script does the following:
-
-1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
-2. Verifies that user computers can send data to Microsoft.
-3. Checks whether the computer has a pending restart.
-4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
-5. If enabled, turns on verbose mode for troubleshooting.
-6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
-7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
-
-To run the Upgrade Analytics deployment script:
-
-1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
-
-2. Edit the following parameters in RunConfig.bat:
-
- 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
-
- 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
-
- 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
-
- > *logMode = 0 log to console only*
->
- > *logMode = 1 log to file and console*
->
- > *logMode = 2 log to file only*
-
-3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
-
- > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
- >
- > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
- >
- > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
- >
- > *IEOptInLevel = 3 Data collection is enabled for all sites*
-
-4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
-
-The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
-
-
-
-
-Exit code Meaning Suggested fix
- 0 Success
- 1 Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
- 2 Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again.
- 3 Error when logging to console and file. $logMode = 1. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
- 4 Error when logging to file. $logMode = 2. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
- 5 Error when logging to console and file. $logMode = unknown. Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
- 6 The commercialID parameter is set to unknown. Modify the script. Set the value for CommercialID in runconfig.bat file.
- 8 Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. Verify that the configuration script has access to this location.
- 9 Error when writing CommercialId to registry. Verify that the configuration script has access to this location.
- 10 Error when writing CommercialDataOptIn to registry. Verify that the configuration script has access to this location.
- 11 Function -SetupCommercialId: Unexpected failure. Verify that the configuration script has access to this location.
- 12 Can’t connect to Microsoft – Vortex. Check your network/proxy settings. Verify that the required endpoints are whitelisted correctly.
- 13 Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly.
- 14 Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted.
- 15 Error connecting to Microsoft:Unexpected failure.
- 16 Machine requires reboot. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
- 17 Function -CheckRebootRequired: Unexpected failure. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
- 18 Outdated compatibility update KB package. Update via Windows Update/WSUS.
-The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1.
- 19 The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
- 20 Error writing RequestAllAppraiserVersions registry key. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
- 21 Function – SetRequestAllAppraiserVersions: Unexpected failure. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
- 22 RunAppraiser failed with unexpected exception. Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file.
- 23 Error finding system variable %WINDIR%. Make sure that this environment variable is available on the machine.
- 24 SetIEDataOptIn failed when writing IEDataOptIn to registry. Verify that the deployment script in running in a context that has access to the registry key.
- 25 SetIEDataOptIn failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
- 26 The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs.
- 27 The script is not running under System account. The Upgrade Analytics configuration script must be run as system.
- 28 Could not create log file at the specified logPath. Make sure the deployment script has access to the location specified in the logPath parameter.
- 29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
- 30 Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
- 31 There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script.
-**The Upgrade Analytics task is scheduled to run daily at 3 a.m.**
-
- - [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements): Provides detailed requirements to use Upgrade Analytics.
- - [Upgrade Analytics blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Analytics.
-
->If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Analytics with Configuration Manager: [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-
-When you are ready to begin using Upgrade Analytics, perform the following steps:
-
-1. Review [data collection and privacy](#data-collection-and-privacy) information.
-2. [Add Upgrade Analytics to OMS](#add-upgrade-analytics-to-operations-management-suite).
-3. [Enable data sharing](#enable-data-sharing).
-4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment.
-5. [Deploy Upgrade Analytics at scale](#deploy-upgrade-analytics-at-scale).
-
-## Data collection and privacy
-
-To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
-
-- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
-- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
-
-## Add Upgrade Analytics to Operations Management Suite
-
-Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
-
-If you are already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Select the **Upgrade Analytics** tile in the gallery and then click **Add** on the solution's details page. Upgrade Analytics is now visible in your workspace.
-
-If you are not using OMS:
-
-1. Go to the [Upgrade Analytics page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
-2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
-4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
-
- > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
-
-1. To add the Upgrade Analytics solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Analytics** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Analytics.
-
-2. Click the **Upgrade Analytics** tile to configure the solution. The **Settings Dashboard** opens.
-
-### Generate your commercial ID key
-
-Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
-
-1. On the Settings Dashboard, navigate to the **Windows telemetry** panel.
-
- 
-
-2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Analytics deployment script later so it can be deployed to user computers.
-
- >**Important**
Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
-
-### Subscribe to Upgrade Analytics
-
-For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Analytics.
-
-1. On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Analytics solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic.
-
-1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Analytics tile now displays summary data. Click the tile to open Upgrade Analytics.
-
-## Enable data sharing
-
-To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
-
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
-
-| **Endpoint** | **Function** |
-|---------------------------------------------------------|-----------|
-| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
-| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
-| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
-
-
-## Deploy the compatibility update and related KBs
-
-The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
-
-| **Operating System** | **KBs** |
-|----------------------|-----------------------------------------------------------------------------|
-| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
-| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
-
-IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
-
-If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.
-
-| **Site discovery** | **KB** |
-|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
-
-### Deploy the Upgrade Analytics deployment script
-
-You can use the Upgrade Analytics deployment script to automate and verify your deployment.
-
-See [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
-
->After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
-
-## Deploy Upgrade Analytics at scale
-
-When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
-
-### Automate data collection
-
-To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
-
-- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
-- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again.
-- Schedule monthly user computer scans to view monthly active computer and usage information.
-
-### Distribute the deployment script at scale
-
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Analytics deployment script at scale. For more information, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
+redirect_url: upgrade-readiness-get-started
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-identify-apps.md b/windows/deploy/upgrade-analytics-identify-apps.md
index cfd5df068f..6ff2df414c 100644
--- a/windows/deploy/upgrade-analytics-identify-apps.md
+++ b/windows/deploy/upgrade-analytics-identify-apps.md
@@ -1,36 +1,5 @@
---
title: Upgrade Analytics - Identify important apps (Windows 10)
-description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-identify-apps
---
-# Upgrade Analytics - Step 1: Identify important apps
-
-This is the first step of the Upgrade Analytics workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade.
-
-
-
-
-
-Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
-
-To change an application’s importance level:
-
-1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level.
-2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
-3. Click **Save** when finished.
-
-Importance levels include:
-
-| Importance level | When to use it | Recommendation |
-|--------------------|------------------|------------------|
-| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
| Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.
|
-| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
-| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
| Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.
|
-| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
| As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
|
-
diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md
index 78eeaa078b..796b1298d8 100644
--- a/windows/deploy/upgrade-analytics-prepare-your-environment.md
+++ b/windows/deploy/upgrade-analytics-prepare-your-environment.md
@@ -1,4 +1,4 @@
---
title: Upgrade Analytics - Identify important apps (Windows 10)
-redirect_url: upgrade-analytics-identify-apps
+redirect_url: upgrade-readiness-identify-apps
---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md
index dbf92527d7..527b616631 100644
--- a/windows/deploy/upgrade-analytics-release-notes.md
+++ b/windows/deploy/upgrade-analytics-release-notes.md
@@ -1,5 +1,5 @@
---
title: Upgrade Analytics release notes (Windows 10)
description: Provides tips and limitations about Upgrade Analytics.
-redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements#important-information-about-this-release
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release
---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md
index 3875acc090..1b99be1621 100644
--- a/windows/deploy/upgrade-analytics-requirements.md
+++ b/windows/deploy/upgrade-analytics-requirements.md
@@ -1,88 +1,5 @@
---
title: Upgrade Analytics requirements (Windows 10)
-description: Provides requirements for Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-requirements
---
-# Upgrade Analytics requirements
-
-This article introduces concepts and steps needed to get up and running with Upgrade Analytics. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Analytics.
-
-## Supported upgrade paths
-
-To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Analytics performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
-
-The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Analytics cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
-
-
-
-If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
-
-Note: Upgrade Analytics is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Analytics insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
-
-See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
-
-## Operations Management Suite
-
-Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-
-If you’re already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solution’s details page. Upgrade Analytics is now visible in your workspace.
-
-If you are not using OMS, go to [the Upgrade Analytics page on Microsoft.com](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it.
-
-Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
-## System Center Configuration Manager integration
-
-Upgrade Analytics can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
-
-## Telemetry and data sharing
-
-After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
-
-See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
-
-**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
-
-`https://v10.vortex-win.data.microsoft.com/collect/v1`
-`https://vortex-win.data.microsoft.com/health/keepalive`
-`https://settings-win.data.microsoft.com/settings`
-`https://vortex.data.microsoft.com/health/keepalive`
-`https://settings.data.microsoft.com/qos`
-`https://go.microsoft.com/fwlink/?LinkID=544713`
-`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
-
->**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
-
-**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
-
-**Subscribe your OMS workspace to Upgrade Analytics.** For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Analytics.
-
-**Enable telemetry and connect data sources.** To allow Upgrade Analytics to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Analytics and user computers. You’ll need to connect Upgrade Analytics to your data sources and enable telemetry to establish communication.
-
-**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
-
->**Important**
The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated.
-
-**Configure and deploy Upgrade Analytics deployment script.** Configure and deploy the Upgrade Analytics deployment script to user computers to finish setting up.
-
-## Important information about this release
-
-Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
-
-**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
-
-**Upgrade Analytics does not support on-premises Windows deployments.** Upgrade Analytics is built as a cloud service, which allows Upgrade Analytics to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
-
-**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Analytics solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
-
-### Tips
-
-- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
-
-- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
-
-## Get started
-
-See [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Analytics and getting started on your Windows upgrade project.
diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md
index ec6f782f9e..9514c81869 100644
--- a/windows/deploy/upgrade-analytics-resolve-issues.md
+++ b/windows/deploy/upgrade-analytics-resolve-issues.md
@@ -1,145 +1,5 @@
---
title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
-description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-resolve-issues
---
-# Upgrade Analytics - Step 2: Resolve app and driver issues
-
-This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
-
-You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
-
-Upgrade decisions include:
-
-| Upgrade decision | When to use it | Guidance |
-|--------------------|-------------------|-------------|
-| Not reviewed | All drivers are marked as Not reviewed by default.
Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
| Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
|
-| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
-| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
|
-| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
| If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
-
-The blades in the **Resolve issues** section are:
-
-- Review applications with known issues
-- Review applications with no known issues
-- Review drivers with known issues
-
-As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
-
-## Review applications with known issues
-
-Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
-
-
-
-
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues.
-2. In the table view, select an **UpgradeDecision** value.
-3. Select **Decide upgrade readiness** to change the upgrade decision for each application.
-4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-5. Click **Save** when finished.
-
-IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
-
-For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
-
-| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
-|--------------------|-----------------------------------|-----------|-----------------|------------|
-| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
| No action is required for the upgrade to proceed. |
-| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.
The application may work on the new operating system.
| Remove the application before upgrading, and reinstall and test on new operating system. |
-| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
|
-| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
|
-| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.
A compatible version of the application may be available.
|
-| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
| Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
|
-| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
-
-For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
-
-| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
-|--------------------|-----------------------------------|----------|-----------------|-------------|
-| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. |
-| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
| No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
-| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
|
-| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
|
-
-### ISV support for applications with Ready for Windows
-
-[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/).
-
-Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
-
-
-
-If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
-
-
-
-If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
-
-
-
-The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
-
-| Ready for Windows Status | Query rollup level | What this means | Guidance |
-|-------------------|--------------------------|-----------------|----------|
-|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
-| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. |
-| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
-| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
-| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
-|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
-|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
-| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
-
-## Review applications with no known issues
-
-Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
-
-
-
-Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
-
-Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates.
-
-To change an application's upgrade decision:
-
-1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table.
-
-2. Select **User changes** to change the upgrade decision for each application.
-
-3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.
-
-## Review drivers with known issues
-
-Drivers that won’t migrate to the new operating system are listed, grouped by availability.
-
-
-
-Availability categories are explained in the table below.
-
-| Driver availability | Action required before or after upgrade? | What it means | Guidance |
-|-----------------------|------------------------------------------|----------------|--------------|
-| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
| No action is required for the upgrade to proceed. |
-| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
-| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.
Although a new driver is installed during upgrade, a newer version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
-| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
| Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. |
-
-To change a driver’s upgrade decision:
-
-1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
-
-2. Select **User changes** to enable user input.
-
-3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
-
-4. Click **Save** when finished.
-
diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md
index e42b53e9d0..00fd0a4784 100644
--- a/windows/deploy/upgrade-analytics-review-site-discovery.md
+++ b/windows/deploy/upgrade-analytics-review-site-discovery.md
@@ -1,6 +1,6 @@
---
title: Review site discovery
-redirect_url: upgrade-analytics-additional-insights
+redirect_url: upgrade-readiness-additional-insights
---
diff --git a/windows/deploy/upgrade-analytics-upgrade-overview.md b/windows/deploy/upgrade-analytics-upgrade-overview.md
index 4d1885b34a..72c4b10125 100644
--- a/windows/deploy/upgrade-analytics-upgrade-overview.md
+++ b/windows/deploy/upgrade-analytics-upgrade-overview.md
@@ -1,51 +1,4 @@
---
title: Upgrade Analytics - Upgrade Overview (Windows 10)
-description: Displays the total count of computers sharing data and upgraded.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: upgrade-readiness-upgrade-overview
---
-
-# Upgrade Analytics - Upgrade overview
-
-The first blade in the Upgrade Analytics solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
-
-The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The following status changes are reflected on the upgrade overview blade:
-
-- Computers with incomplete data:
- - Less than 4% = count is displayed in green.
- - 4% - 10% = Count is displayed in amber.
- - Greater than 10% = Count is displayed in red.
-- Delay processing device inventory data = The "Last updated" banner is displayed in amber.
-- Pending user changes = User changes count displays "Data refresh pending" in amber.
-- No pending user changes = User changes count displays "Up to date" in green.
-
-In the following example, less than 4% of (3k\355k) computers have incomplete data, and there are no pending user changes:
-
-
-
-
-
-If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
-
-Select **Total computers** for a list of computers and details about them, including:
-
-- Computer ID and computer name
-- Computer manufacturer
-- Computer model
-- Operating system version and build
-- Count of system requirement, application, and driver issues per computer
-- Upgrade assessment based on analysis of computer telemetry data
-- Upgrade decision status
-
-Select **Total applications** for a list of applications discovered on user computers and details about them, including:
-
-- Application vendor
-- Application version
-- Count of computers the application is installed on
-- Count of computers that opened the application at least once in the past 30 days
-- Percentage of computers in your total computer inventory that opened the application in the past 30 days
-- Issues detected, if any
-- Upgrade assessment based on analysis of application data
-- Rollup level
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-additional-insights.md b/windows/deploy/upgrade-readiness-additional-insights.md
new file mode 100644
index 0000000000..e7a8b7a54c
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-additional-insights.md
@@ -0,0 +1,81 @@
+---
+title: Upgrade Readiness - Additional insights
+description: Explains additional features of Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Additional insights
+
+This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include:
+
+- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7 or Windows 8.1 using Internet Explorer.
+- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers.
+
+## Site discovery
+
+The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
+
+> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+
+### Install prerequisite security update for Internet Explorer
+
+Ensure the following prerequisites are met before using site discovery:
+
+1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
+2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
+3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it.
+
+ If necessary, you can also enable it by creating the following registry entry.
+
+ HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
+
+ Entry name: IEDataOptIn
+
+ Data type: DWORD
+
+ Values:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+ For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
+
+ 
+
+### Review most active sites
+
+This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
+
+For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
+
+
+
+Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
+
+
+
+### Review document modes in use
+
+This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
+
+
+
+### Run browser-related queries
+
+You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
+
+
+
+## Office add-ins
+
+Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator.
+
+## Related topics
+
+[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deploy/upgrade-readiness-architecture.md
new file mode 100644
index 0000000000..c4cafc8768
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-architecture.md
@@ -0,0 +1,30 @@
+---
+title: Upgrade Readiness architecture (Windows 10)
+description: Describes Upgrade Readiness architecture.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness architecture
+
+Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation.
+
+
+
+
+
+After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades.
+
+For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
+
+[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+
+##**Related topics**
+
+[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
+[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
diff --git a/windows/deploy/upgrade-readiness-deploy-windows.md b/windows/deploy/upgrade-readiness-deploy-windows.md
new file mode 100644
index 0000000000..bb54670f8d
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-deploy-windows.md
@@ -0,0 +1,97 @@
+---
+title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10)
+description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Step 3: Deploy Windows
+
+All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready.
+The blades in the **Deploy** section are:
+
+- [Deploy eligible computers](#deploy-eligible-computers)
+- [Deploy computers by group](#computer-groups)
+
+>Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment).
+
+## Deploy eligible computers
+
+In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways:
+- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**.
+- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**.
+- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met.
+
+
+
+
+
+Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
+
+>**Important**
When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
+
+## Computer groups
+
+Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/).
+
+Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS.
+
+### Getting started with Computer Groups
+
+When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example:
+
+
+
+To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example:
+
+```
+Type=UAComputer Manufacturer=DELL
+```
+
+
+
+When you are satisfied that the query is returning the intended results, add the following text to your search:
+
+```
+| measure count() by Computer
+```
+
+This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example:
+
+
+
+Your new computer group will now be available in Upgrade Readiness. See the following example:
+
+
+
+### Using Computer Groups
+
+When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready.
+
+
+
+Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**:
+
+
+
+Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**:
+
+
+
+A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed.
+
+### Upgrade assessment
+
+Upgrade assessment and guidance details are explained in the following table.
+
+| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
+|-----------------------|------------------------------------------------|----------|-----------------|---------------|
+| No known issues | No | None | Computers will upgrade seamlessly.
| OK to use as-is in pilot. |
+| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
+| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.
If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.
|
+
+Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
+
+>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
new file mode 100644
index 0000000000..e1decfb250
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-deployment-script.md
@@ -0,0 +1,265 @@
+---
+title: Upgrade Readiness deployment script (Windows 10)
+description: Deployment script for Upgrade Readiness.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Upgrade Readiness deployment script
+
+To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
+
+>[!IMPORTANT]
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+
+For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
+
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+
+The Upgrade Readiness deployment script does the following:
+
+1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
+2. Verifies that user computers can send data to Microsoft.
+3. Checks whether the computer has a pending restart.
+4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+5. If enabled, turns on verbose mode for troubleshooting.
+6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
+7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
+
+To run the Upgrade Readiness deployment script:
+
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+
+2. Edit the following parameters in RunConfig.bat:
+
+ 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
+
+ 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
+
+ 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
+
+ > *logMode = 0 log to console only*
+>
+ > *logMode = 1 log to file and console*
+>
+ > *logMode = 2 log to file only*
+
+3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
+
+ > *IEOptInLevel = 0 Internet Explorer data collection is disabled*
+ >
+ > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
+ >
+ > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
+ >
+ > *IEOptInLevel = 3 Data collection is enabled for all sites*
+
+4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+
+The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
+
+
+
+
+
+Exit code
+Meaning
+ Suggested fix
+
+ 0
+Success
+ N/A
+
+ 1
+Unexpected error occurred while executing the script.
+ The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
+
+ 2
+Error when logging to console. $logMode = 0.
(console only)
+Try changing the $logMode value to **1** and try again.
$logMode value 1 logs to both console and file.
+
+3
+Error when logging to console and file. $logMode = 1.
+ Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+ 4
+Error when logging to file. $logMode = 2.
+ Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+ 5
+Error when logging to console and file. $logMode = unknown.
+ Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
+
+ 6
+The commercialID parameter is set to unknown.
Modify the runConfig.bat file to set the CommercialID value.
+The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace.
+
See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
+
+8
+Failure to create registry key path: The Commercial Id property is set at the following registry key path:
Verify that the context under which the script in running has access to the registry key.
+
+9
+The script failed to write Commercial Id to registry.
+
Error creating or updating registry key: **CommercialId** at Verify that the context under which the script in running has access to the registry key.
+
+ 10
+Error when writing **CommercialDataOptIn** to the registry at Verify that the deployment script is running in a context that has access to the registry key.
+
+ 11
+Function **SetupCommercialId** failed with an unexpected exception.
+ The **SetupCommercialId** function updates the Commercial Id at the registry key path:
Verify that the configuration script has access to this location.
+
+12
+Can’t connect to Microsoft - Vortex. Check your network/proxy settings.
+ **Http Get** on the end points did not return a success exit code.
+For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
+For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.
+
If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+13
+Can’t connect to Microsoft - setting.
+ An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+
+ 14
+Can’t connect to Microsoft - compatexchange.
+ An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
+ 15
+Function CheckVortexConnectivity failed with an unexpected exception.
+ This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
+
+ 16
+The computer requires a reboot before running the script.
+ A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
+
+ 17
+Function **CheckRebootRequired** failed with an unexpected exception.
+ A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
+
+ 18
+Appraiser KBs not installed or **appraiser.dll** not found.
+ Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
+
+ 19
+Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.
+ Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
+
+ 20
+An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
+
+ 21
+Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 22
+**RunAppraiser** failed with unexpected exception.
+ Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
+
+ 23
+Error finding system variable **%WINDIR%**.
+ Verify that this environment variable is configured on the computer.
+
+ 24
+The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
+
+ 25
+The function **SetIEDataOptIn** failed with unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 26
+The operating system is Server or LTSB SKU.
+ The script does not support Server or LTSB SKUs.
+
+ 27
+The script is not running under **System** account.
+ The Upgrade Readiness configuration script must be run as **System**.
+
+ 28
+Could not create log file at the specified **logPath**.
+ Make sure the deployment script has access to the location specified in the **logPath** parameter.
+
+ 29
+Connectivity check failed for proxy authentication.
+ Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
+
The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
+
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
+
For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+
+30
+Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.
+ The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
+
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
+
For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+
+31
+There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer.
+ Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
+
+ 32
+Appraiser version on the machine is outdated.
+ The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.
+
+ 33
+**CompatTelRunner.exe** exited with an exit code
+ **CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.
+
+ 34
+Function **CheckProxySettings** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 35
+Function **CheckAuthProxy** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 36
+Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 37
+**Diagnose_internal.cmd** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 38
+Function **Get-SqmID** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 39
+For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+ 40
+Function **CheckTelemetryOptIn** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 41
+The script failed to impersonate the currently logged on user.
+ The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
+
+ 42
+Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+ 43
+Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.
+ Check the logs for the exception message and HResult.
+
+
+ - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
+ - [Upgrade Readiness blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
+
+>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
+
+When you are ready to begin using Upgrade Readiness, perform the following steps:
+
+1. Review [data collection and privacy](#data-collection-and-privacy) information.
+2. [Add Upgrade Readiness to OMS](#add-upgrade-readiness-to-operations-management-suite).
+3. [Enable data sharing](#enable-data-sharing).
+4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment.
+5. [Deploy Upgrade Readiness at scale](#deploy-upgrade-readiness-at-scale).
+
+## Data collection and privacy
+
+To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
+
+- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+
+## Add Upgrade Readiness to Operations Management Suite
+
+Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
+
+If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace.
+
+If you are not using OMS:
+
+1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
+2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
+4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
+
+ > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
+
+1. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
+
+2. Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens.
+
+### Generate your commercial ID key
+
+Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
+
+1. On the Settings Dashboard, navigate to the **Windows telemetry** panel.
+
+ 
+
+2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.
+
+ >**Important**
Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again.
+
+### Subscribe to Upgrade Readiness
+
+For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Readiness.
+
+1. On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Readiness solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic.
+
+1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Readiness tile now displays summary data. Click the tile to open Upgrade Readiness.
+
+## Enable data sharing
+
+To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
+
+Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
+
+| **Endpoint** | **Function** |
+|---------------------------------------------------------|-----------|
+| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
+| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
+| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
+
+
+## Deploy the compatibility update and related KBs
+
+The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+| **Operating System** | **KBs** |
+|----------------------|-----------------------------------------------------------------------------|
+| Windows 10 | The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. |
+| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. |
+
+IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
+
+If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.
+
+| **Site discovery** | **KB** |
+|----------------------|-----------------------------------------------------------------------------|
+| [Review site discovery](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-additional-insights#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
+
+### Deploy the Upgrade Readiness deployment script
+
+You can use the Upgrade Readiness deployment script to automate and verify your deployment.
+
+See [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
+
+>After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Readiness. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Readiness. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
+
+## Deploy Upgrade Readiness at scale
+
+When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
+
+### Automate data collection
+
+To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
+
+- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
+- Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated.
+- Schedule monthly user computer scans to view monthly active computer and usage information.
+
+>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.
+
+### Distribute the deployment script at scale
+
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-identify-apps.md b/windows/deploy/upgrade-readiness-identify-apps.md
new file mode 100644
index 0000000000..33b5d248c5
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-identify-apps.md
@@ -0,0 +1,36 @@
+---
+title: Upgrade Readiness - Identify important apps (Windows 10)
+description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Step 1: Identify important apps
+
+This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade.
+
+
+
+
+
+Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
+
+To change an application’s importance level:
+
+1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level.
+2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
+3. Click **Save** when finished.
+
+Importance levels include:
+
+| Importance level | When to use it | Recommendation |
+|--------------------|------------------|------------------|
+| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]
Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
| Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.
|
+| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.
| Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
+| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.
| You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
| Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.
|
+| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
| As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.
Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
|
+
diff --git a/windows/deploy/upgrade-readiness-release-notes.md b/windows/deploy/upgrade-readiness-release-notes.md
new file mode 100644
index 0000000000..e023406035
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-release-notes.md
@@ -0,0 +1,5 @@
+---
+title: Upgrade Readiness release notes (Windows 10)
+description: Provides tips and limitations about Upgrade Readiness.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release
+---
\ No newline at end of file
diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deploy/upgrade-readiness-requirements.md
new file mode 100644
index 0000000000..5f706bab59
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-requirements.md
@@ -0,0 +1,95 @@
+---
+title: Upgrade Readiness requirements (Windows 10)
+description: Provides requirements for Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness requirements
+
+This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness.
+
+## Supported upgrade paths
+
+### Windows 7 and Windows 8.1
+
+To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
+
+The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
+
+
+
+If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
+
+Note: Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
+
+See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
+
+### Windows 10
+
+Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
+The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
+
+Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#long-term-servicing-branch) to understand more about LTSB.
+
+## Operations Management Suite
+
+Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace.
+
+If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it.
+
+Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
+
+## System Center Configuration Manager integration
+
+Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
+
+## Telemetry and data sharing
+
+After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
+
+See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
+
+**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
+
+`https://v10.vortex-win.data.microsoft.com/collect/v1`
+`https://vortex-win.data.microsoft.com/health/keepalive`
+`https://settings.data.microsoft.com/qos`
+`https://go.microsoft.com/fwlink/?LinkID=544713`
+`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`
+
+>**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release.
+
+**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later.
+
+**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Readiness.
+
+**Enable telemetry and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable telemetry to establish communication.
+
+**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
+
+>**Important**
The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated.
+
+**Configure and deploy Upgrade Readiness deployment script.** Configure and deploy the Upgrade Readiness deployment script to user computers to finish setting up.
+
+## Important information about this release
+
+Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
+
+**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
+
+**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
+
+**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
+
+### Tips
+
+- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
+
+- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
+
+## Get started
+
+See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project.
diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deploy/upgrade-readiness-resolve-issues.md
new file mode 100644
index 0000000000..7436b86607
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-resolve-issues.md
@@ -0,0 +1,152 @@
+---
+title: Upgrade Readiness - Resolve application and driver issues (Windows 10)
+description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Step 2: Resolve app and driver issues
+
+This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
+
+You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
+
+Upgrade decisions include:
+
+| Upgrade decision | When to use it | Guidance |
+|--------------------|-------------------|-------------|
+| Not reviewed | All drivers are marked as Not reviewed by default.
Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
| Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
|
+| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
|
+| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.
In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
|
+| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
| If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
+
+The blades in the **Resolve issues** section are:
+
+- Review applications with known issues
+- Review applications with no known issues
+- Review drivers with known issues
+
+As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/).
+
+## Review applications with known issues
+
+Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
+
+
+
+
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues.
+2. In the table view, select an **UpgradeDecision** value.
+3. Select **Decide upgrade readiness** to change the upgrade decision for each application.
+4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+5. Click **Save** when finished.
+
+IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
+
+For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
+|--------------------|-----------------------------------|-----------|-----------------|------------|
+| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
| No action is required for the upgrade to proceed. |
+| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.
The application may work on the new operating system.
| Remove the application before upgrading, and reinstall and test on new operating system. |
+| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
|
+| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
|
+| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.
A compatible version of the application may be available.
|
+| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
| Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
|
+| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
+
+For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
+
+| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
+|--------------------|-----------------------------------|----------|-----------------|-------------|
+| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. |
+| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
| No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
+| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
|
+| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
|
+
+### ISV support for applications with Ready for Windows
+
+[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/).
+
+Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
+
+
+
+If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
+
+
+
+If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
+
+
+
+>[!TIP]
+>Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer.
+
+>To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed.
+
+>Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions.
+
+The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
+
+| Ready for Windows Status | Query rollup level | What this means | Guidance |
+|-------------------|--------------------------|-----------------|----------|
+|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
+| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. |
+| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
+| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
+| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
+|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
+|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
+| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
+
+## Review applications with no known issues
+
+Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
+
+
+
+Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
+
+Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates.
+
+To change an application's upgrade decision:
+
+1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table.
+
+2. Select **User changes** to change the upgrade decision for each application.
+
+3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
+
+4. Click **Save** when finished.
+
+## Review drivers with known issues
+
+Drivers that won’t migrate to the new operating system are listed, grouped by availability.
+
+
+
+Availability categories are explained in the table below.
+
+| Driver availability | Action required before or after upgrade? | What it means | Guidance |
+|-----------------------|------------------------------------------|----------------|--------------|
+| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
| No action is required for the upgrade to proceed. |
+| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
+| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.
Although a new driver is installed during upgrade, a newer version is available from Windows Update.
| If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
|
+| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
| Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. |
+
+To change a driver’s upgrade decision:
+
+1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
+
+2. Select **User changes** to enable user input.
+
+3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
+
+4. Click **Save** when finished.
+
diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deploy/upgrade-readiness-upgrade-overview.md
new file mode 100644
index 0000000000..29777cad6f
--- /dev/null
+++ b/windows/deploy/upgrade-readiness-upgrade-overview.md
@@ -0,0 +1,62 @@
+---
+title: Upgrade Readiness - Upgrade Overview (Windows 10)
+description: Displays the total count of computers sharing data and upgraded.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Upgrade Readiness - Upgrade overview
+
+The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
+
+The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md).
+
+The following color-coded status changes are reflected on the upgrade overview blade:
+
+- The "Last updated" banner:
+ - No delay in processing device inventory data = "Last updated" banner is displayed in green.
+ - Delay processing device inventory data = "Last updated" banner is displayed in amber.
+- Computers with incomplete data:
+ - Less than 4% = Count is displayed in black.
+ - 4% - 10% = Count is displayed in amber.
+ - Greater than 10% = Count is displayed in red.
+- User changes:
+ - Pending user changes = User changes count displays "Data refresh pending" in amber.
+ - No pending user changes = User changes count displays "Up to date" in green.
+- Target version:
+ - If the current value matches the recommended value, the version is displayed in green.
+ - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
+ - If the current value is a deprecated OS version, the version is displayed in red.
+
+In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
+
+
+
+
+
+If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours.
+
+If there are computers with incomplete data, verify that you have installed the latest compatibilty update and run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center.
+
+Select **Total computers** for a list of computers and details about them, including:
+
+- Computer ID and computer name
+- Computer manufacturer
+- Computer model
+- Operating system version and build
+- Count of system requirement, application, and driver issues per computer
+- Upgrade assessment based on analysis of computer telemetry data
+- Upgrade decision status
+
+Select **Total applications** for a list of applications discovered on user computers and details about them, including:
+
+- Application vendor
+- Application version
+- Count of computers the application is installed on
+- Count of computers that opened the application at least once in the past 30 days
+- Percentage of computers in your total computer inventory that opened the application in the past 30 days
+- Issues detected, if any
+- Upgrade assessment based on analysis of application data
+- Rollup level
\ No newline at end of file
diff --git a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
index 3b686e8dae..3d23267aa8 100644
--- a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
+++ b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
@@ -1,52 +1,4 @@
---
title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
-description: Describes how to use Upgrade Analytics to manage Windows upgrades.
-ms.prod: w10
-author: greg-lindsay
+redirect_url: use-upgrade-readiness-to-manage-windows-upgrades
---
-
-# Use Upgrade Analytics to manage Windows upgrades
-
-You can use Upgrade Analytics to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Analytics enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
-
-- Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
-- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
-
-When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
-
-
-
-Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
-
->**Important**: You can use the [Target OS](#target-os) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Analytics workflow. By default, the Target OS is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
-
-The following information and workflow is provided:
-
-- [Upgrade overview](upgrade-analytics-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
-- [Step 1: Identify important apps](upgrade-analytics-identify-apps.md): Assign importance levels to prioritize your applications.
-- [Step 2: Resolve issues](upgrade-analytics-resolve-issues.md): Identify and resolve problems with applications.
-- [Step 3: Deploy](upgrade-analytics-deploy-windows.md): Start the upgrade process.
-
-Also see the following topic for information about additional items that can be affected by the upgrade process:
-
-- [Additional insights](upgrade-analytics-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
-
-## Target OS
-
-The target OS setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version.
-
-As mentioned previously, the default target OS in Upgrade Analytics is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target OS setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
-
-The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target OS. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Analytics is based on the target OS version.
-
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
-
-To change the target OS setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Analytics solution:
-
-
-
->You must be signed in to Upgrade Analytics as an administrator to view settings.
-
-On the **Upgrade Analytics Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target OS setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
-
-
diff --git a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
new file mode 100644
index 0000000000..cd081245c1
--- /dev/null
+++ b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -0,0 +1,54 @@
+---
+title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
+description: Describes how to use Upgrade Readiness to manage Windows upgrades.
+ms.prod: w10
+author: greg-lindsay
+---
+
+# Use Upgrade Readiness to manage Windows upgrades
+
+You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues.
+
+- Based on telemetry data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness.
+- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
+
+When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks.
+
+
+
+Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step.
+
+>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB).
+
+The following information and workflow is provided:
+
+- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers.
+- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications.
+- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications.
+- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process.
+
+Also see the following topic for information about additional items that can be affected by the upgrade process:
+
+- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity.
+
+## Target version
+
+The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example:
+
+
+
+As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version.
+
+The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
+
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610.
+
+To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
+
+
+
+>You must be signed in to Upgrade Readiness as an administrator to view settings.
+
+On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
+
+
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 3a3d3bcda1..4e77353f2f 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -722,6 +722,7 @@
#### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Preview features](preview-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
@@ -735,21 +736,53 @@
##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
-##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
+###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
+###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
+###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
+##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+####### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+####### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
+####### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
+####### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+####### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+####### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+####### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+####### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
+##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md)
+##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
new file mode 100644
index 0000000000..d7678c4832
--- /dev/null
+++ b/windows/keep-secure/advanced-features-windows-defender-advacned-threat-protection.md
@@ -0,0 +1,30 @@
+---
+title: Turn on advanced features in Windows Defender Advanced Threat Protection
+description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
+keywords: advanced features, preferences setup, block file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Turn on advanced features in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+1. In the navigation pane, select **Preferences setup** > **Advanced features**.
+2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
+3. Click **Save preferences**.
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index 3a4746998e..f9805f6b95 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -21,55 +21,99 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
+The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
+
+Alerts are organized in queues by their workflow status or assignment:
+
+- **New**
+- **In progress**
+- **Resolved**
+- **Assigned to me**
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
> [!NOTE]
> By default, the queues are sorted from newest to oldest.
-The following table and screenshot demonstrate the main areas of the **Alerts queue**.
+## Sort and filter the alerts
+You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
-
+
Highlighted area|Area name|Description
:---|:---|:---
-(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
-(2)|Alerts|Each alert shows:
Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
-(3)|Alerts sorting and filters | You can sort alerts by:
You can also filter the displayed alerts by:
See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details.
+1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
+2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
+3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
-##Sort and filter the Alerts queue
-You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
-There are three mechanisms to pivot the queue against:
+### Sort, filter, and group the alerts list
+You can use the following filters to limit the list of alerts displayed during an investigation:
-1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing:
+**Severity**
- - **Newest** - Sorts alerts based on when the alert was last seen on an endpoint.
- - **Time in queue** - Sorts alerts by the length of time an alert has been in the queue.
- - **Severity** - Sorts alerts by their level of severity.
+Alert severity | Description
+:---|:---
+High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
+Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
+Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
+Informational (Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
-2. Filter alerts by their **Severity** by opening the drop-down menu in the **Filter by** field and selecting one or more of the check boxes:
+Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
- - High (Red) - Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
- - Medium (Orange) - Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
- - Low (Yellow) - Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization.
+**Detection source**
+- Windows Defender AV
+- Windows Defender ATP
-3. Limit the queue to see alerts from various set periods by clicking the drop-down menu in the date range field (by default, this is selected as **6 months**):
+>[!NOTE]
+>The Windows Defender AV filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product.
- - **1 day**
- - **3 days**
- - **7 days**
- - **30 days**
- - **6 months**
+**Time period**
+- 1 day
+- 3 days
+- 7 days
+- 30 days
+- 6 months
- > [!NOTE]
- > You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon 
+**View**
+- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
+- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
-### Related topics
+The group view allows for efficient alert triage and management.
+
+### Use the Alert management pane
+Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
+
+You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
+
+- Change the status of an alert from new, to in progress, or resolved.
+- Specify the alert classification from true alert or false alert.
+ Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
+ - APT
+ - Malware
+ - Security personnel
+ - Security testing
+ - Unwanted software
+ - Other
+- Assign the alert to yourself if the alert is not yet assigned.
+- View related activity on the machine.
+- Add and view comments about the alert.
+
+>[!NOTE]
+>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
+
+### Bulk edit alerts
+Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
+
+
+
+## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
index 129b49f08e..95c54414fa 100644
--- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Assign user access to the Windows Defender Advanced Threat Protection portal
+title: Assign user access to the Windows Defender ATP portal
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md
index 89261d666c..5cf31239ce 100644
--- a/windows/keep-secure/bitlocker-countermeasures.md
+++ b/windows/keep-secure/bitlocker-countermeasures.md
@@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI
Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
-The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
+Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
+
+Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps.
+
+To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
ELAM classifies drivers as follows:
diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..6f9e2ee36d
--- /dev/null
+++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,55 @@
+---
+title: Check sensor health state in Windows Defender ATP
+description: Check sensor health on machines to see if they are misconfigured or inactive.
+keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Check sensor health state in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+
+
+
+There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
+- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
+
+Clicking any of the groups directs you to Machines view, filtered according to your choice.
+
+
+
+You can filter the health state list by the following status:
+- **Active** - Machines that are actively reporting to the Windows Defender ATP service.
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
+- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
+ - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
+ - **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
+
+You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+
+
+
+In the **Machines view**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page.
+
+>[!NOTE]
+>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
+
+## Related topic
+- [Fix unhealthy sensors in Windows Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 19e99c915d..2ad2430c0e 100644
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure email notifications
+# Configure email notifications in Windows Defender ATP
**Applies to:**
@@ -61,3 +61,8 @@ This section lists various issues that you may encounter when using email notifi
1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Windows Defender ATP.
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
+
+## Related topics
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index c842ea1668..d5fb36ac0b 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP endpoints using Mobile Device Management tools
+title: Configure endpoints using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 33563eea6f..775b756512 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP endpoints using System Center Configuration Manager
+title: Configure endpoints using System Center Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
index cca969958e..73d4781fa1 100644
--- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Defender ATP endpoints
-description: Configure endpoints so that they are onboarded to the service.
+description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index dd145bf769..49287b61de 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
+title: Configure endpoint proxy and Internet connection settings
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index f8f22a049a..35dead1efe 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
-title: Configure security information and events management tools
-description: Configure supported security information and events management tools to receive and consume alerts.
-keywords: configure siem, security information and events management tools, splunk, arcsight
+title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
+description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,7 +11,7 @@ author: mjcaparas
localizationpriority: high
---
-# Configure security information and events management (SIEM) tools to consume alerts
+# Consume alerts and create custom indicators
**Applies to:**
@@ -21,7 +21,9 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+## Consume alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+
Windows Defender ATP currently supports the following SIEM tools:
@@ -35,6 +37,11 @@ To use either of these supported SIEM tools you'll need to:
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+## Create custom threat indicators in Windows Defender ATP
+You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+
+For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
+
## In this section
Topic | Description
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 9d3a33d12c..8c70f3782d 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -85,7 +85,7 @@ Applications may cause performance issues when they attempt to hook the isolated
The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> [!NOTE]
-> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
> Starting in Widows 10, 1607, TPM 2.0 is required.
@@ -94,11 +94,11 @@ The following tables provide more information about the hardware, firmware, and
|Baseline Protections | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide.
@@ -108,8 +108,8 @@ The following tables provide more information about the hardware, firmware, and
| Protections for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
@@ -120,17 +120,20 @@ The following tables provide more information about the hardware, firmware, and
| Protections for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10)
+#### 2017 Additional security requirements starting with Windows 10, version 1703
+
+The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
## Manage Credential Guard
@@ -178,11 +181,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
- ``` syntax
+ ```
dism /image:
**Set-RuleOption -FilePath $InitialCIPolicy -Option 0**
+ > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
+
+ > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
- > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
-
- > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
+ > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index 9f7be87cbb..b03c8c1332 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -30,10 +30,10 @@ For information about enabling Credential Guard, see [Protect derived domain cre
In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
-- With Windows 10, version 1607 or Windows Server 2016:
+- Beginning with Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
-- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+- With an earlier version of Windows 10:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
> **Note** You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.
@@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
**Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
-After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.
-
## Enable Virtualization Based Security (VBS) and Device Guard
-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
-
There are multiple ways to configure VBS features for Device Guard:
- You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
@@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard:
3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.

@@ -91,7 +87,7 @@ There are multiple ways to configure VBS features for Device Guard:
- With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
- - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.
+ - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box.

@@ -183,7 +179,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
If you want to customize the preceding recommended settings, use the following settings.
@@ -211,7 +207,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc
**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
``` command
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
### Validate enabled Device Guard hardware-based security features
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..38074271e9
--- /dev/null
+++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,45 @@
+---
+title: Enable the custom threat intelligence application in Windows Defender ATP
+description: Enable the custom threat intelligence application in Windows Defender ATP so that you can create custom threat intelligence using REST API.
+keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Enable the custom threat intelligence application
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
+
+1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
+
+2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
+
+3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
+
+ >[!WARNING]
+ >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+
+4. Select **Generate tokens** to get an access and refresh token.
+
+You’ll need to use the access token in the Authorization header when doing REST API calls.
+
+## Related topics
+- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..897187ce25
--- /dev/null
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,80 @@
+---
+title: Fix unhealthy sensors in Windows Defender ATP
+description: Fix machine sensors that are reporting as misconfigured or inactive.
+keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Fix unhealthy sensors in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
+
+## Inactive machines
+
+An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive:
+
+**Machine is not in use**
+If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal.
+
+**Machine was reinstalled or renamed**
+A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
+
+**Machine was offboarded**
+If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive.
+
+Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
+
+## Misconfigured machines
+Misconfigured machines can further be classified to:
+ - Impaired communication
+ - No sensor data
+
+### Impaired communication
+This status indicates that there's limited communication between the machine and the service.
+
+The following suggested actions can help fix issues related to a misconfigured machine with impaired communication:
+
+- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
+ The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+
+- Verify client connectivity to Windows Defender ATP service URLs
+ Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
+
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
+
+### No sensor data
+A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
+Follow theses actions to correct known issues related to a misconfigured machine with status ‘Impaired communication’:
+
+- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
+ The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+
+- Verify client connectivity to Windows Defender ATP service URLs
+ Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
+
+- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
+If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint.
+
+- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)
+If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
+
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
+
+## Related topic
+- [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..b8021ab337
--- /dev/null
+++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,36 @@
+---
+title: Update general Windows Defender Advanced Threat Protection settings
+description: Update your general Windows Defender Advanced Threat Protection settings after onboarding.
+keywords: general settings, settings, update settings
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+# Update general Windows Defender ATP settings
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
+
+1. In the navigation pane, select **Preferences setup** > **General**.
+2. Modify settings such as data retention policy or the industry that best describes your organization.
+
+ >[!NOTE]
+ >Other settings are not editable.
+3. Click **Save preferences**.
+
+
+## Related topics
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md
index b9937eeaa8..dc6bb1e021 100644
--- a/windows/keep-secure/hello-and-password-changes.md
+++ b/windows/keep-secure/hello-and-password-changes.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
# Windows Hello and password changes
diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md
index 162ff7d762..caf9da8a9b 100644
--- a/windows/keep-secure/hello-biometrics-in-enterprise.md
+++ b/windows/keep-secure/hello-biometrics-in-enterprise.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md
index c77dfeeaf1..b325dd3b58 100644
--- a/windows/keep-secure/hello-enable-phone-signin.md
+++ b/windows/keep-secure/hello-enable-phone-signin.md
@@ -5,7 +5,7 @@ keywords: ["identity", "PIN", "biometric", "Hello"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md
index a362e1f253..98dce6bbda 100644
--- a/windows/keep-secure/hello-errors-during-pin-creation.md
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
@@ -89,7 +89,7 @@ If the error occurs again, check the error code against the following table to s
0x80090035
Policy requires TPM and the device does not have TPM.
-Change the Passport policy to not require a TPM.
+Change the Windows Hello for Business policy to not require a TPM.
0x801C0003
@@ -149,7 +149,7 @@ If the error occurs again, check the error code against the following table to s
0x801C03EA
Server failed to authorize user or device.
-Check if the token is valid and user has permission to register Passport keys.
+Check if the token is valid and user has permission to register Windows Hello for Business keys.
0x801C03EB
diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md
index ea19c3f794..a59c57e6be 100644
--- a/windows/keep-secure/hello-event-300.md
+++ b/windows/keep-secure/hello-event-300.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md
index 089387f204..8a3c433fa4 100644
--- a/windows/keep-secure/hello-how-it-works.md
+++ b/windows/keep-secure/hello-how-it-works.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
# How Windows Hello for Business works
diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md
index a1e391508f..7e5139aeaf 100644
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
# Windows Hello for Business
@@ -113,9 +113,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
+[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
## Related topics
diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md
index f2a43b7df1..beca5f89e3 100644
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: jdeckerMS
+author: DaniHalfin
localizationpriority: high
---
@@ -352,7 +352,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
+> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Device Guard requirements for baseline protections
|Baseline Protections - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
> **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
@@ -62,32 +62,34 @@ The following tables provide more information about the hardware, firmware, and
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
> **Important** The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
- Enterprises can choose to allow proprietary EFI drivers/applications to run.
- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017)
+### Additional Qualification Requirements starting with Windows 10, version 1703
-| Protections for Improved Security - requirement | Description |
+The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
+
+| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Firmware: **UEFI NX Protections** | **Requirements**:
- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.
UEFI Runtime Services:
- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
- Reduces attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
## Device Guard deployment in different scenarios: types of devices
@@ -95,9 +97,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being
| **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** |
|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. |
-| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
+| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. |
+| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
## Device Guard deployment in virtual machines
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..4cd712c7a8
--- /dev/null
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,231 @@
+---
+title: Take response actions on a file in Windows Defender Advanced Threat Protection
+description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details.
+keywords: respond, stop and quarantine, block file, deep analysis
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Take response actions on a file
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre–released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can take action on file related alerts to quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center.
+
+>[!NOTE]
+> These response actions are only available for machines on Windows 10, version 1703.
+
+You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file.
+
+## Stop and quarantine files in your network
+You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
+
+The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+
+The action takes effect on machines with the latest Windows 10 Insider Preview build where the file was observed in the last 30 days.
+
+### Stop and quarantine files
+1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
+
+ – **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
+ – **Search box** - select File from the drop–down menu and enter the file name
+
+2. Open the **Actions menu** and select **Stop & Quarantine File**.
+ 
+
+3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference.
+
+ The Action center shows the submission information:
+ 
+
+ – **Submission time** - Shows when the action was submitted.
+ – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ – **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
+ – **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ – **Failed** - Shows the number of machines where the action failed and details about the failure.
+
+4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
+
+**Notification on machine user**:
+When the file is being removed from an endpoint, the following notification is shown:
+
+
+
+In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
+
+>[!NOTE]
+>The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications.
+
+
+
+For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
+
+### Remove file from quarantine
+You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined.
+
+1. Open an elevated command–line prompt on the endpoint:
+
+ a. Go to **Start** and type cmd.
+
+ b. Right–click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+ ```
+ “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
+ ```
+ >[!NOTE]
+ >Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
+
+## Block files in your network
+You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
+
+>[!NOTE]
+>This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](configure-windows-defender-in-windows-10.md).
+This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build.
+
+### Enable the block file feature
+1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**.
+
+2. Toggle the setting between **On** and **Off** and select **Save preferences**.
+
+ 
+
+3. Type a comment (optional) and select **Yes** to take action on the file.
+The Action center shows the submission information:
+
+ 
+
+ – **Submission time** - Shows when the action was submitted.
+ – **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ – **Status** - Indicates whether the file was added to or removed from the blacklist.
+
+When the file is blocked, there will be a new event in the machine timeline.
+
+**Notification on machine user**:
+When a file is being blocked on the endpoint, the following notification is displayed to inform the user that the file was blocked:
+
+
+
+>[!NOTE]
+>The **Action** button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization caused by the removal of files that might be related to the operating system.
+
+
+
+For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended.
+
+### Remove file from blocked list
+1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
+
+ – **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ – **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section
+ – **Search box** - Select File from the drop–down menu and enter the file name
+
+2. Open the **Actions** menu and select **Remove file from blocked list**.
+
+ 
+
+3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
+
+
+## Check activity details in Action center
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
+
+
+
+## Deep analysis
+Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
+
+The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
+Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
+
+Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk.
+
+Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
+
+### Submit files for analysis
+
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
+
+In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
+
+> [!NOTE]
+> Only files from Windows 10 can be automatically collected.
+
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+
+> [!NOTE]
+> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
+
+When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
+
+**Submit files for deep analysis:**
+
+1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
+ – Alerts - click the file links from the **Description** or **Details** in the Alert timeline
+ – **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
+ – Search box - select **File** from the drop–down menu and enter the file name
+2. In the **Deep analysis** section of the file view, click **Submit**.
+
+
+
+>**Note** Only PE files are supported, including _.exe_ and _.dll_ files
+
+A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
+
+> [!NOTE]
+> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
+
+### View deep analysis reports
+
+View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
+
+You can view the comprehensive report that provides details on:
+
+– Observed behaviors
+– Associated artifacts
+
+The details provided can help you investigate if there are indications of a potential attack.
+
+
+1. Select the file you submitted for deep analysis.
+2. Click **See the report below**. Information on the analysis is displayed.
+
+
+
+### Troubleshooting deep analysis
+
+If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
+
+
+1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
+2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+4. Verify the policy setting enables sample collection and try to submit the file again.
+
+ a. Change the following registry entry and values to change the policy on specific endpoints:
+ ```
+HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+ Value = 0 – block sample collection
+ Value = 1 – allow sample collection
+```
+5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
+6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
+
+> [!NOTE]
+> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
+
+## Related topics
+– [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..e4ffc6abe9
--- /dev/null
+++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,131 @@
+---
+title: Take response actions on a machine in Windows Defender Advanced Threat Protection
+description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
+keywords: respond, isolate, isolate machine, collect investigation package, action center
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Take response actions on a machine
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can take action on machine related alerts to quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
+
+>[!NOTE]
+> These response actions are only available for machines on Windows 10, version 1703.
+
+## Isolate machines from the network
+Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
+
+This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
+
+>[!NOTE]
+>You’ll be able to reconnect the machine back to the network at any time.
+
+1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
+
+ - **Dashboard** - Select the machine name from the Top machines with active alerts section.
+ - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+ - **Machines view** - Select the machine name from the list of machines.
+ - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2. Open the **Actions** menu and select **Isolate machine**.
+
+ 
+
+3. Type a comment (optional) and select **Yes** to take action on the machine.
+ >[!NOTE]
+ >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
+
+ The Action center shows the submission information:
+ 
+
+ - **Submission time** - Shows when the isolation action was submitted.
+ - **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates any pending actions or the results of completed actions.
+
+When the isolation configuration is applied, there will be a new event in the machine timeline.
+
+**Notification on machine user**:
+When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
+
+
+
+## Undo machine isolation
+Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated.
+
+1. Select a machine that was previously isolated.
+
+2. Open the **Actions** menu and select **Undo machine isolation**.
+
+ 
+
+3. Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network.
+
+## Collect investigation package from machines
+As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
+
+You can download the package (Zip file) and investigate the events that occurred on a machine.
+
+The package contains the following folders:
+
+Folder | Description
+:---|:---
+Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine. NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.”
+Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).
+Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections. - ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
+Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder.
+Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state.
+Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.
+Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. NOTE: Open the event log file using Event viewer.
+Services | Contains the services.txt file which lists services and their states.
+Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. Contains files for SMBInboundSessions and SMBOutboundSession. NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound).
+Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system. This can help to track suspicious files that an attacker may have dropped on the system. NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
+Users and Groups | Provides a list of files that each represent a group and its members.
+CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.
+
+1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views:
+
+ - **Dashboard** - Select the machine name from the Top machines with active alerts section.
+ - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+ - **Machines view** - Select the heading of the machine name from the machines view.
+ - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+2. Open the **Actions** menu and select **Collect investigation package**.
+
+ The Action center shows the submission information:
+ 
+
+ - **Submission time** - Shows when the action was submitted.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package.
+
+3. Select **Package available** to download the package.
+ When the package is available a new event will be added to the machine timeline.
+ You can download the package from the machine page, or the Action center.
+
+ 
+
+ You can also search for historical packages in the machine timeline.
+
+## Check activity details in Action center
+The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed.
+
+
+
+## Related topics
+- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..3fdf40354f
--- /dev/null
+++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,47 @@
+---
+title: Take response actions on files and machines in Windows Defender Advanced Threat Protection
+description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
+keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Take response actions in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
+
+>[!NOTE]
+> These response actions are only available for machines on Windows 10, version 1703.
+
+## In this section
+Topic | Description
+:---|:---
+[Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package.
+[Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network.
+
+## Related topics
+- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
+- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
+- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
+- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
+- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
+- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
+- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
index a5df900c1d..caaafb618e 100644
--- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
@@ -50,8 +50,8 @@ Setting the time zone also changes the times for all Windows Defender ATP views.
To set the time zone:
1. Click the **Settings** menu .
-2. Select the **Timezone:UTC** indicator.
-3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
+2. Select the **Timezone UTC** indicator.
+3. Select **Timezone Local** or **-8:00**.
## Suppression rules
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..32dc72d7fd
--- /dev/null
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,53 @@
+---
+title: Understand threat intelligence concepts in Windows Defender ATP
+description: Understand the concepts around threat intelligence in Windows Defender Advanced Threat Protection so that you can effectively create custom intelligence for your organization.
+keywords: threat intelligence, alert definitions, indicators of compromise, ioc
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Understand threat indicators
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
+
+With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
+
+Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them.
+
+## Alert definitions
+Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
+
+## Indicators of compromise (IOC)
+IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
+
+## Relationship between alert definitions and IOCs
+In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#threat-intelligence-api-metadata).
+
+Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Windows Defender ATP console.
+
+Here is an example of an IOC:
+ - Type: Sha1
+ - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
+ - Action: Equals
+
+IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
+
+## Related topic
+- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5448e0e2f5
--- /dev/null
+++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,46 @@
+---
+title: Troubleshoot custom threat intelligence issues in Windows Defender ATP
+description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Windows Defender ATP.
+keywords: troubleshoot, custom threat intelligence, custom ti, rest api, api, alert definitions, indicators of compromise
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Troubleshoot custom threat intelligence issues
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+You might need to troubleshoot issues while using the custom threat intelligence feature.
+
+This page provides detailed steps to troubleshoot issues you might encounter while using the feature.
+
+
+## Learn how to get a new client secret
+If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret.
+
+1. Login to the [Azure management portal](https://ms.portal.azure.com).
+
+2. Select **Active Directory**.
+
+3. Select your tenant.
+
+4. Click **Application**, then select your custom threat intelligence application.
+
+5. Select **Keys** section, then provide a key description and specify the key validity duration.
+
+6. Click **Save**. The key value is displayed.
+
+7. Copy the value and save it in a safe place.
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index 2f238a4d6d..23bb45e5bf 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -41,8 +41,11 @@ Topic | Description
[View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
-[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
+[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
+[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
+[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
index a31f43f6ee..342b7ac541 100644
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -31,7 +31,7 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
> [!NOTE]
-> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
+> The Block at first sight feature only uses the cloud-protection backend for "portable executable" (PE) files that are downloaded from the Internet, or originating from the Internet zone. This includes file types such as .exe, .dll, .scr, and so on. A hash value of the file is checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index f5417ba0f7..70f2e9290f 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -162,6 +162,7 @@
### [Troubleshooting App-V](appv-troubleshooting.md)
### [Technical Reference for App-V](appv-technical-reference.md)
#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
+
#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
@@ -221,4 +222,5 @@
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
+## [Windows Libraries](windows-libraries.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index dcbdb109c3..13a0de7e4f 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
+| [Windows Libraries](windows-libraries.md) | New |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
| [Get started with Update Compliance](update-compliance-get-started.md) | New |
| [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
@@ -185,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
\ No newline at end of file
+
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
index bd5e26f4ba..dd1108511b 100644
--- a/windows/manage/configure-windows-10-taskbar.md
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -42,6 +42,8 @@ To configure the taskbar:
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
+>
+>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
### Tips for finding AUMID and Desktop Application Link Path
diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md
index d58663dc00..764b5638e0 100644
--- a/windows/manage/cortana-at-work-o365.md
+++ b/windows/manage/cortana-at-work-o365.md
@@ -57,7 +57,7 @@ Cortana can only access data in your Office 365 org when it’s turned on. If yo
**To turn off Cortana with Office 365**
1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
-2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
+2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
3. Expand **Service Settings**, and select **Cortana**.
diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md
index 96064364c3..29a9ab3bba 100644
--- a/windows/manage/cortana-at-work-overview.md
+++ b/windows/manage/cortana-at-work-overview.md
@@ -59,6 +59,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro
- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384)
-- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US)
+- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10)
- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md
index 98b90f572f..979cde3b57 100644
--- a/windows/manage/cortana-at-work-powerbi.md
+++ b/windows/manage/cortana-at-work-powerbi.md
@@ -19,7 +19,7 @@ localizationpriority: high
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
>[!Note]
->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
+>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
## Before you begin
To use this walkthrough, you’ll need:
@@ -135,4 +135,4 @@ Now that you’ve set up your device, you can use Cortana to show your info from

>[!NOTE]
->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
+>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md
index 766a5914ad..2e2743fa61 100644
--- a/windows/manage/cortana-at-work-voice-commands.md
+++ b/windows/manage/cortana-at-work-voice-commands.md
@@ -19,7 +19,7 @@ localizationpriority: high
Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
>[!NOTE]
->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions).
+>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted).
## High-level process
Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
@@ -30,9 +30,9 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana).
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana).
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
diff --git a/windows/manage/index.md b/windows/manage/index.md
index 61fd0bf61e..bdb730b559 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.
+
+
+
+
diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/manage/start-layout-xml-desktop.md
index 1a48aaad33..c86fc0cfe6 100644
--- a/windows/manage/start-layout-xml-desktop.md
+++ b/windows/manage/start-layout-xml-desktop.md
@@ -26,6 +26,9 @@ On Windows 10 for desktop editions, the customized Start works by:
- 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
- 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
+
+>[!NOTE]
+>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
## LayoutModification XML
diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
index b1701d80d9..8f9e0d54cd 100644
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@@ -32,14 +32,53 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
-- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
-- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
+You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
+In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
-Several Delivery Optimization features are configurable.
+Several Delivery Optimization features are configurable:
-
+| Group Policy setting | MDM setting |
+| --- | --- |
+| [Download mode](#download-mode) | DODownloadMode |
+| [Group ID](#group-id) | DOGroupID |
+| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
+| [Max Cache Size](#max-cache-size) | DOMaxCacheSize |
+| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
+| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
+| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
+| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
+| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
+| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
+| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
-### Download mode (DODownloadMode)
+When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
+
+While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior.
+
+[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
+
+Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario:
+- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
+- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
+- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
+
+>[!NOTE]
+>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
+
+There are additional options available to robustly control the impact Delivery Optimization has on your network:
+- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
+- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
+- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
+- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
+
+### How Microsoft uses Delivery Optimization
+In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
+
+For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
+
+Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings.
+
+### Download mode
Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do.
@@ -55,176 +94,51 @@ Download mode dictates which download sources clients are allowed to use when do
>[!NOTE]
>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
-### Group ID (DOGroupID)
+### Group ID
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
>This configuration is optional and not required for most implementations of Delivery Optimization.
-### Max Cache Age (DOMaxCacheAge)
+### Max Cache Age
In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
-### Max Cache Size (DOMaxCacheSize)
+### Max Cache Size
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
-### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
+### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
-### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
+### Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
-### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+### Percentage of Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-### Max Upload Bandwidth (DOMaxUploadBandwidth)
+### Max Upload Bandwidth
This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
-### Minimum Background QoS (DOMinBackgroundQoS)
+### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
-### Modify Cache Drive (DOModifyCacheDrive)
+### Modify Cache Drive
This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
-### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
+### Monthly Upload Data Cap
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
-
-## Delivery Optimization configuration examples
-
-Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
-
-### Use Delivery Optimzation with group download mode
-
-Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
-
-**To use Group Policy to configure Delivery Optimization for group download mode**
-
-1. Open Group Policy Management Console (GPMC).
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
-4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**.
-
-5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**.
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
-
-7. Right-click the **Download Mode** setting, and then click **Edit**.
-
-8. Enable the policy, and then select the **Group** download mode.
-
-9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
-
-10. Click **OK**, and then close the Group Policy Management Editor.
-
-11. In GPMC, select the **Delivery Optimization – Group** policy.
-
-12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
-
-**To use Intune to configure Delivery Optimization for group download mode**
-
-1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
-
-2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
-3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
-
-4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
-
-5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
-
-6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
-
-7. In the **Value** box, type **2**, and then click **OK**.
-
- >[!NOTE]
- >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
-
-8. Click **Save Policy**.
-
-9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
-
- >[!NOTE]
- >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
-
-10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
-
-### Use WSUS and BranchCache with Windows 10, version 1511
-
-In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
-
-**To use Group Policy to configure HTTP only download mode**
-
-1. Open Group Policy Management Console (GPMC).
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
-4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**.
-
-5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**.
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
-
-7. Right-click the **Download Mode** setting, and then click **Edit**.
-
-8. Enable the policy, and then select the **HTTP only** download mode.
-
-9. Click **OK**, and then close the Group Policy Management Editor.
-
-10. In GPMC, select the **Delivery Optimization – HTTP Only** policy.
-
-11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
-
- 
-
- >[!NOTE]
- >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
-
-### Use WSUS and BranchCache with Windows 10, version 1607
-
-In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
-
-**To use Group Policy to enable the Bypass download mode**
-
-1. Open Group Policy Management Console (GPMC).
-
-2. Expand Forest\Domains\\*Your_Domain*.
-
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
-
-4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**.
-
-5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**.
-
-6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
-
-7. Right-click the **Download Mode** setting, and then click **Edit**.
-
-8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
-
-9. Click **OK**, and then close the Group Policy Management Editor.
-
-10. In GPMC, select the **Delivery Optimization – Bypass** policy.
-
-11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
-
- >[!NOTE]
- >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
-
-### Set “preferred” cache devices for Delivery Optimization
+
+## Set “preferred” cache devices for Delivery Optimization
In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content).
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
index 08251d8c02..773814c884 100644
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -40,9 +40,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
| BranchCache |  |  | |  |
>[!NOTE]
->Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases.
+>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
>
->In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx).
+>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
## Express update delivery
@@ -74,6 +74,9 @@ The Windows Update client will try to download Express first, and under certain
At this point, the download is complete and the update is ready to be installed.
+>[!TIP]
+>Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
+
## Steps to manage updates for Windows 10
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 85a835748e..b588216cb5 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -23,6 +23,8 @@ Organizations might want to deploy a customized Start and taskbar configuration
>[!NOTE]
>Taskbar configuration is available starting in Windows 10, version 1607.
+>
+>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
## Start options