Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into vso-9319398

2025-05-12 13:27:23 +00:00 · 2017-02-23 13:46:18 -08:00 · 2017-02-23 13:46:18 -08:00 · 1ce12a27c7
commit 1ce12a27c7
parent fe03dc64fa a47768cd51
48 changed files with 366 additions and 609 deletions
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@ -29,7 +29,7 @@ If you're having trouble deciding whether Microsoft Edge is good for your organi
 ![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)<br>
 [Click to enlarge](img-microsoft-edge-infographic-lg.md)<br>
-[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892)
 ### Microsoft Edge
 Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@ -50,10 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
 -   **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
 ## Related topics
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
+- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie)
 - [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
 - [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
+- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Change history for Windows 10 for Education
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@ -5,7 +5,7 @@ keywords: school
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-author: jdeckerMS
+author: trudyha
 ---
 # Get Minecraft: Education Edition
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@ -5,7 +5,7 @@ keywords: ["school"]
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-author: jdeckerMS
+author: trudyha
 ---
 # For IT administrators - get Minecraft: Education Edition
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Technical reference for the Set up School PCs app 
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-author: jdeckerMS
+author: CelesteDG
 ---
 # Set up student PCs to join domain
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-author: jdeckerMS
+author: CelesteDG
 ---
 # Provision student PCs with apps
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Provisioning options for Windows 10
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Take a Test app technical reference 
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Set up Take a Test on multiple PCs
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Set up Take a Test on a single PC
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Take tests in Windows 10
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@ -5,7 +5,7 @@ keywords: ["school"]
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-author: jdeckerMS
+author: trudyha
 ---
 # For teachers - get Minecraft: Education Edition
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-author: jdeckerMS
+author: CelesteDG
 ---
 # Use the Set up School PCs app 
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@ -81,10 +81,11 @@ Before you deploy Office by using App-V, review the following requirements.
 <tbody>
 <tr class="odd">
 <td align="left"><p>Packaging</p></td>
-<td align="left"><ul>
+<td align="left">
 <ul>
 <li><p>All of the Office applications that you want to deploy to users must be in a single package.</p></li>
 <li><p>In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.</p></li>
-<li><p>If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).</p></li>
+<li><p>If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).</p></li>
 </ul></td>
 </tr>
 <tr class="even">
@ -102,12 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.
 <li><p>Project Pro for Office 365</p></li>
 </ul></td>
 <td align="left"><p>You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).</p>
-<p>You don’t use shared computer activation if you’re deploying a volume licensed product, such as:</p>
+</td>
 <ul>
 <li><p>Office Professional Plus 2016</p></li>
 <li><p>Visio Professional 2016</p></li>
 <li><p>Project Professional 2016</p></li>
 </ul></td>
 </tr>
 </tbody>
 </table>
@ -154,9 +150,7 @@ The following table describes the recommended methods for excluding specific Off
 Complete the following steps to create an Office 2016 package for App-V 5.0 or later.
-**Important**  
+>**Important**&nbsp;&nbsp;In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 ### Review prerequisites for using the Office Deployment Tool
@ -190,13 +184,12 @@ The computer on which you are installing the Office Deployment Tool must have:
 </table>
-**Note**  
+>**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
 In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing.
 ### Create Office 2016 App-V Packages Using Office Deployment Tool
-You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing.
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
 Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
@ -206,6 +199,7 @@ Office 2016 App-V Packages are created using the Office Deployment Tool, which g
 1.  Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
 >**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
 2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
    Example: \\\\Server\\Office2016
@ -237,8 +231,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        </Configuration>
        ```
-        **Note**  
+        >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "<! - -" from the beginning of the line, and the "-- >" from the end of the line.
        The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "<! - -" from the beginning of the line, and the "-- >" from the end of the line.
        The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
@ -269,13 +262,14 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        </tr>
        <tr class="odd">
        <td align="left"><p>Product element</p></td>
-        <td align="left"><p>Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.</p></td>
+        <td align="left"><p>Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
        For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297)
        </p></td>
        <td align="left"><p><code>Product ID =&quot;O365ProPlusRetail &quot;</code></p>
        <p><code>Product ID =&quot;VisioProRetail&quot;</code></p>
        <p><code>Product ID =&quot;ProjectProRetail&quot;</code></p>
-        <p><code>Product ID =&quot;ProPlusVolume&quot;</code></p>
+        </td>
        <p><code>Product ID =&quot;VisioProVolume&quot;</code></p>
        <p><code>Product ID = &quot;ProjectProVolume&quot;</code></p></td>
        </tr>
        <tr class="even">
        <td align="left"><p>Language element</p></td>
@ -286,7 +280,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        <td align="left"><p>Version (attribute of Add element)</p></td>
        <td align="left"><p>Optional. Specifies a build to use for the package</p>
        <p>Defaults to latest advertised build (as defined in v32.CAB at the Office source).</p></td>
-        <td align="left"><p><code>15.1.2.3</code></p></td>
+        <td align="left"><p><code>16.1.2.3</code></p></td>
        </tr>
        <tr class="even">
        <td align="left"><p>SourcePath (attribute of Add element)</p></td>
@ -303,7 +297,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
-2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
    ``` syntax
    \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
@ -346,41 +340,35 @@ After you download the Office 2016 applications through the Office Deployment To
 -   Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
-   Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+-   Create an Office App-V package for Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
    The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
 >**Note**&nbsp;&nbsp;You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
 <table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Product ID</th>
 <th align="left">Volume Licensing</th>
 <th align="left">Subscription Licensing</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p><strong>Office 2016</strong></p></td>
 <td align="left"><p>ProPlusVolume</p></td>
 <td align="left"><p>O365ProPlusRetail</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><strong>Office 2016 with Visio 2016</strong></p></td>
 <td align="left"><p>ProPlusVolume</p>
 <p>VisioProVolume</p></td>
 <td align="left"><p>O365ProPlusRetail</p>
 <p>VisioProRetail</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><strong>Office 2016 with Visio 2016 and Project 2016</strong></p></td>
 <td align="left"><p>ProPlusVolume</p>
 <p>VisioProVolume</p>
 <p>ProjectProVolume</p></td>
 <td align="left"><p>O365ProPlusRetail</p>
 <p>VisioProRetail</p>
 <p>ProjectProRetail</p></td>
@ -412,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To
    </tr>
    <tr class="even">
    <td align="left"><p>ProductID</p></td>
-    <td align="left"><p>Specify the type of licensing, as shown in the following examples:</p>
+    <td align="left"><p>Specify Subscription licensing, as shown in the following example:</p>
    <ul>
    <li><p>Subscription Licensing</p>
    <pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
       &lt;Add SourcePath= &quot;\\server\Office 2016&quot; OfficeClientEdition=&quot;32&quot; &gt;
        &lt;Product ID=&quot;O365ProPlusRetail&quot;&gt;
@ -446,44 +432,7 @@ After you download the Office 2016 applications through the Office Deployment To
    </tr>
    </tbody>
    </table>
-    <p> </p>
+    <p></p>
    <p></p></li>
    <li><p>Volume Licensing</p>
    <pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
       &lt;Add SourcePath= &quot;\\Server\Office2016&quot; OfficeClientEdition=&quot;32&quot; &gt;
        &lt;Product ID=&quot;ProPlusVolume&quot;&gt;
          &lt;Language ID=&quot;en-us&quot; /&gt;
        &lt;/Product&gt;
        &lt;Product ID=&quot;VisioProVolume&quot;&gt;
          &lt;Language ID=&quot;en-us&quot; /&gt;
        &lt;/Product&gt;
      &lt;/Add&gt;  
    &lt;/Configuration&gt;</code></pre>
    <p>In this example, the following changes were made to create a package with Volume licensing:</p>
    <table>
    <colgroup>
    <col width="50%" />
    <col width="50%" />
    </colgroup>
    <tbody>
    <tr class="odd">
    <td align="left"><p><strong>SourcePath</strong></p></td>
    <td align="left"><p>is the path, which was changed to point to the Office applications that were downloaded earlier.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>Product ID</strong></p></td>
    <td align="left"><p>for Office was changed to <code>ProPlusVolume</code>.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>Product ID</strong></p></td>
    <td align="left"><p>for Visio was changed to <code>VisioProVolume</code>.</p></td>
    </tr>
    </tbody>
    </table>
    <p> </p>
    <p></p></li>
    </ul></td>
    </tr>
    <tr class="odd">
    <td align="left"><p>ExcludeApp (optional)</p></td>
    <td align="left"><p>Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.</p></td>
@ -492,13 +441,8 @@ After you download the Office 2016 applications through the Office Deployment To
    <td align="left"><p>PACKAGEGUID (optional)</p></td>
    <td align="left"><p>By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.</p>
    <p>An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.</p>
-    <div class="alert">
+>**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
-    <strong>Note</strong>  
+    </td>
    <p>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.</p>
    </div>
    <div>
    </div></td>
    </tr>
    </tbody>
    </table>
@ -531,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>/packager</strong></p></td>
-    <td align="left"><p>creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.</p></td>
+    <td align="left"><p>creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>\\server\Office2016\Customconfig.xml</strong></p></td>
@ -552,8 +496,7 @@ After you download the Office 2016 applications through the Office Deployment To
    -   **WorkingDir**
-    **Note**  
+    **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
    To troubleshoot any issues, see the log files in the %temp% directory (default).
@ -563,7 +506,7 @@ After you download the Office 2016 applications through the Office Deployment To
    2.  Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
-## <a href="" id="bkmk-pub-pkg-office"></a>Publishing the Office package for App-V 5.0
+## <a href="" id="bkmk-pub-pkg-office"></a>Publishing the Office package for App-V
 Use the following information to publish an Office package.
@ -629,8 +572,6 @@ To manage your Office App-V packages, use the same operations as you would for a
 -   [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd)
 -   [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd)
 -   [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project)
 ### <a href="" id="bkmk-enable-office-plugins"></a>Enabling Office plug-ins by using connection groups
@ -641,16 +582,15 @@ Use the steps in this section to enable Office plug-ins with your Office package
 1.  Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
-2.  Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+2.  Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
-3.  Create an App-V 5.0 package that includes the desired plug-ins.
+3.  Create an App-V package that includes the desired plug-ins.
 4.  Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet.
 5.  Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
-    **Important**  
+    >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
    The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
@ -672,8 +612,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
 You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
-**Note**  
+>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
 To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
 **To disable an Office 2016 application**
@ -752,36 +691,17 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a
 1.  Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
-    **Note**  
+    >**Note** Office App-V packages have two Version IDs:
-    Office App-V packages have two Version IDs:
+    <ul>
-
+    <li>An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.</li>
-    -   An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+    <li>A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.</li>
-
+    </ul>
    -   A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
 2.  Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
 ### <a href="" id="bkmk-manage-office-lic-upgrd"></a>Managing Office 2016 licensing upgrades
 If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2016 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
 **How to upgrade an Office 2016 License**
 1.  Unpublish the already deployed Office 2016 Subscription Licensing App-V package.
 2.  Remove the unpublished Office 2016 Subscription Licensing App-V package.
 3.  Restart the computer.
 4.  Add the new Office 2016 App-V Package Volume Licensing.
 5.  Publish the added Office 2016 App-V Package with Volume Licensing.
 An Office 2016 App-V Package with your chosen licensing will be successfully deployed.
 ### <a href="" id="bkmk-deploy-visio-project"></a>Deploying Visio 2016 and Project 2016 with Office
@ -802,7 +722,7 @@ The following table describes the requirements and options for deploying Visio 2
 <tr class="odd">
 <td align="left"><p>How do I package and publish Visio 2016 and Project 2016 with Office?</p></td>
 <td align="left"><p>You must include Visio 2016 and Project 2016 in the same package with Office.</p>
-<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).</p></td>
+<p>If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>How can I deploy Visio 2016 and Project 2016 to specific users?</p></td>
@ -848,17 +768,11 @@ The following table describes the requirements and options for deploying Visio 2
 ## Additional resources
 **Office 2016 App-V 5.0 Packages 5.0 Additional Resources**
 [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
 [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680)
 **Office 2013 and Office 2010 App-V Packages**
 [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md)
-[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md)
+[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md)
 [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
 **Connection Groups**
@ -868,7 +782,7 @@ The following table describes the requirements and options for deploying Visio 2
 **Dynamic Configuration**
-[About App-V 5.0 Dynamic Configuration](about-app-v-50-dynamic-configuration.md)
+[About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md)
 ## Got a suggestion for App-V?
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@ -1,4 +1,4 @@
---
+---
 title: Deploying Microsoft Office 2016 by Using App-V
 description: Deploying Microsoft Office 2016 by Using App-V
 author: jamiejdt
@ -47,7 +47,7 @@ Use the following table to get information about supported versions of Office an
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv)</p></td>
+<td align="left"><p>[Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)</p></td>
 <td align="left"><ul>
 <li><p>Supported versions of Office</p></li>
 <li><p>Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)</p></li>
@ -55,13 +55,14 @@ Use the following table to get information about supported versions of Office an
 </ul></td>
 </tr>
 <tr class="even">
-<td align="left"><p>[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting)</p></td>
+<td align="left"><p>[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)</p></td>
 <td align="left"><p>Considerations for installing different versions of Office on the same computer</p></td>
 </tr>
 </tbody>
 </table>
 ### <a href="" id="bkmk-pkg-pub-reqs"></a>Packaging, publishing, and deployment requirements
 Before you deploy Office by using App-V, review the following requirements.
@ -80,10 +81,11 @@ Before you deploy Office by using App-V, review the following requirements.
 <tbody>
 <tr class="odd">
 <td align="left"><p>Packaging</p></td>
-<td align="left"><ul>
+<td align="left">
 <ul>
 <li><p>All of the Office applications that you want to deploy to users must be in a single package.</p></li>
 <li><p>In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.</p></li>
-<li><p>If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).</p></li>
+<li><p>If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).</p></li>
 </ul></td>
 </tr>
 <tr class="even">
@ -101,12 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.
 <li><p>Project Pro for Office 365</p></li>
 </ul></td>
 <td align="left"><p>You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).</p>
-<p>You don’t use shared computer activation if you’re deploying a volume licensed product, such as:</p>
+</td>
 <ul>
 <li><p>Office Professional Plus 2016</p></li>
 <li><p>Visio Professional 2016</p></li>
 <li><p>Project Professional 2016</p></li>
 </ul></td>
 </tr>
 </tbody>
 </table>
@ -153,10 +150,7 @@ The following table describes the recommended methods for excluding specific Off
 Complete the following steps to create an Office 2016 package for App-V 5.1 or later.
-**Important**  
+>**Important**&nbsp;&nbsp;In App-V 5.1 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 In App-V 5.1 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 ### Review prerequisites for using the Office Deployment Tool
@ -182,23 +176,20 @@ The computer on which you are installing the Office Deployment Tool must have:
 <td align="left"><p>Supported operating systems</p></td>
 <td align="left"><ul>
 <li><p>64-bit version of Windows 10</p></li>
-<li><p>64-bit version of Windows 8 or later</p></li>
+<li><p>64-bit version of Windows 8 or 8.1</p></li>
 <li><p>64-bit version of Windows 7</p></li>
 </ul></td>
 </tr>
 </tbody>
 </table>
 >**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
-**Note**  
+### Create Office 2016 App-V Packages Using Office Deployment Tool
 In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing.
- 
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
 ### Create Office 2013 App-V Packages Using Office Deployment Tool
 You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing.
 Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
@ -206,11 +197,9 @@ Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the
 Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
-1.  Download the [Office 2-16 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
+1.  Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
  > [!NOTE]  
  > You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
 >**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
 2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
    Example: \\\\Server\\Office2016
@ -242,12 +231,9 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        </Configuration>
        ```
-        **Note**  
+        >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "<! - -" from the beginning of the line, and the "-- >" from the end of the line.
        The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "<! ---" from the beginning of the line, and the "-- >" from the end of the line.
-         
+        The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
        The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
        <table>
        <colgroup>
@ -276,13 +262,14 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        </tr>
        <tr class="odd">
        <td align="left"><p>Product element</p></td>
-        <td align="left"><p>Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.</p></td>
+        <td align="left"><p>Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
-        <td align="left"><p><code>Product ID =&quot;O365ProPlusRetail&quot;</code></p>
+
        For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297)
        </p></td>
        <td align="left"><p><code>Product ID =&quot;O365ProPlusRetail &quot;</code></p>
        <p><code>Product ID =&quot;VisioProRetail&quot;</code></p>
        <p><code>Product ID =&quot;ProjectProRetail&quot;</code></p>
-        <p><code>Product ID =&quot;ProPlusVolume&quot;</code></p>
+        </td>
        <p><code>Product ID =&quot;VisioProVolume&quot;</code></p>
        <p><code>Product ID = &quot;ProjectProVolume&quot;</code></p></td>
        </tr>
        <tr class="even">
        <td align="left"><p>Language element</p></td>
@ -298,21 +285,19 @@ The XML file that is included in the Office Deployment Tool specifies the produc
        <tr class="even">
        <td align="left"><p>SourcePath (attribute of Add element)</p></td>
        <td align="left"><p>Specifies the location in which the applications will be saved to.</p></td>
-        <td align="left"><p><code>Sourcepath = "\\Server\Office2016"</code></p></td>
+        <td align="left"><p><code>Sourcepath = &quot;\\Server\Office2016”</code></p></td>
        </tr>
        <tr class="even">
        <td align="left"><p>Branch (attribute of Add element)</p></td>
-        <td align="left"><p>Optional. Specifies the update branch for the product that you want to download or install.</p><p>For more information about update branches, see Overview of update branches for Office 365 ProPlus.</p></td>
+        <td align="left"><p>Optional. Specifies the update branch for the product that you want to download or install. </p><p>For more information about update branches, see Overview of update branches for Office 365 ProPlus.</p></td>
        <td align="left"><p><code>Branch = "Business"</code></p></td>
        </tr>
        </tbody>
        </table>
        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
-2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
    ``` syntax
    \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
@ -355,41 +340,35 @@ After you download the Office 2016 applications through the Office Deployment To
 -   Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
-   Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+-   Create an Office App-V package for Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
    The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
 >**Note**&nbsp;&nbsp;You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
 <table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Product ID</th>
 <th align="left">Volume Licensing</th>
 <th align="left">Subscription Licensing</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p><strong>Office 2016</strong></p></td>
 <td align="left"><p>ProPlusVolume</p></td>
 <td align="left"><p>O365ProPlusRetail</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><strong>Office 2016 with Visio 2016</strong></p></td>
 <td align="left"><p>ProPlusVolume</p>
 <p>VisioProVolume</p></td>
 <td align="left"><p>O365ProPlusRetail</p>
 <p>VisioProRetail</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><strong>Office 2016 with Visio 2016 and Project 2016</strong></p></td>
 <td align="left"><p>ProPlusVolume</p>
 <p>VisioProVolume</p>
 <p>ProjectProVolume</p></td>
 <td align="left"><p>O365ProPlusRetail</p>
 <p>VisioProRetail</p>
 <p>ProjectProRetail</p></td>
@ -421,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To
    </tr>
    <tr class="even">
    <td align="left"><p>ProductID</p></td>
-    <td align="left"><p>Specify the type of licensing, as shown in the following examples:</p>
+    <td align="left"><p>Specify Subscription licensing, as shown in the following example:</p>
    <ul>
    <li><p>Subscription Licensing</p>
    <pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
       &lt;Add SourcePath= &quot;\\server\Office 2016&quot; OfficeClientEdition=&quot;32&quot; &gt;
        &lt;Product ID=&quot;O365ProPlusRetail&quot;&gt;
@ -455,59 +432,17 @@ After you download the Office 2016 applications through the Office Deployment To
    </tr>
    </tbody>
    </table>
-    <p> </p>
+    <p></p>
    <p></p></li>
    <li><p>Volume Licensing</p>
    <pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
       &lt;Add SourcePath= &quot;\\Server\Office2016&quot; OfficeClientEdition=&quot;32&quot; &gt;
        &lt;Product ID=&quot;ProPlusVolume&quot;&gt;
          &lt;Language ID=&quot;en-us&quot; /&gt;
        &lt;/Product&gt;
        &lt;Product ID=&quot;VisioProVolume&quot;&gt;
          &lt;Language ID=&quot;en-us&quot; /&gt;
        &lt;/Product&gt;
      &lt;/Add&gt;  
    &lt;/Configuration&gt;</code></pre>
    <p>In this example, the following changes were made to create a package with Volume licensing:</p>
    <table>
    <colgroup>
    <col width="50%" />
    <col width="50%" />
    </colgroup>
    <tbody>
    <tr class="odd">
    <td align="left"><p><strong>SourcePath</strong></p></td>
    <td align="left"><p>is the path, which was changed to point to the Office applications that were downloaded earlier.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>Product ID</strong></p></td>
    <td align="left"><p>for Office was changed to <code>ProPlusVolume</code>.</p></td>
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>Product ID</strong></p></td>
    <td align="left"><p>for Visio was changed to <code>VisioProVolume</code>.</p></td>
    </tr>
    </tbody>
    </table>
    <p> </p>
    <p></p></li>
    </ul></td>
    </tr>
    <tr class="odd">
    <td align="left"><p>ExcludeApp (optional)</p></td>
-    <td align="left"><p>Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.</p></td>
+    <td align="left"><p>Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p>PACKAGEGUID (optional)</p></td>
    <td align="left"><p>By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.</p>
    <p>An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.</p>
-    <div class="alert">
+>**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
-    <strong>Note</strong>  
+    </td>
    <p>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.</p>
    </div>
    <div>
    </div></td>
    </tr>
    </tbody>
    </table>
@ -540,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To
    </tr>
    <tr class="odd">
    <td align="left"><p><strong>/packager</strong></p></td>
-    <td align="left"><p>creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.</p></td>
+    <td align="left"><p>creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p><strong>\\server\Office2016\Customconfig.xml</strong></p></td>
@ -553,14 +488,15 @@ After you download the Office 2016 applications through the Office Deployment To
    </tbody>
    </table>
-  After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+     
-  -   **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
+    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
-  -   **WorkingDir**
+    -   **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
-    **Note**  
+    -   **WorkingDir**
-    To troubleshoot any issues, see the log files in the %temp% directory (default).
+
    **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
@ -570,7 +506,7 @@ After you download the Office 2016 applications through the Office Deployment To
    2.  Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
-## <a href="" id="bkmk-pub-pkg-office"></a>Publishing the Office package for App-V 5.1
+## <a href="" id="bkmk-pub-pkg-office"></a>Publishing the Office package for App-V
 Use the following information to publish an Office package.
@ -636,8 +572,6 @@ To manage your Office App-V packages, use the same operations as you would for a
 -   [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd)
 -   [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd)
 -   [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project)
 ### <a href="" id="bkmk-enable-office-plugins"></a>Enabling Office plug-ins by using connection groups
@ -648,16 +582,15 @@ Use the steps in this section to enable Office plug-ins with your Office package
 1.  Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
-2.  Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+2.  Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
-3.  Create an App-V 5.1 package that includes the desired plug-ins.
+3.  Create an App-V package that includes the desired plug-ins.
 4.  Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet.
 5.  Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
-    **Important**  
+    >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
    The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
@ -677,11 +610,9 @@ Use the steps in this section to enable Office plug-ins with your Office package
 ### <a href="" id="bkmk-disable-office-apps"></a>Disabling Office 2016 applications
-You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
 **Note**  
 To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
 >**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
 **To disable an Office 2016 application**
@ -734,11 +665,11 @@ You may want to disable shortcuts for certain Office applications instead of unp
        <Extension Category="AppV.Shortcut">
          <Shortcut>
           <File>[{Common Programs}]\Microsoft Office 2016\Access 2016.lnk</File>
-           <Target>[{AppvPackageRoot}])office15\MSACCESS.EXE</Target>
+           <Target>[{AppvPackageRoot}])office16\MSACCESS.EXE</Target>
           <Icon>[{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico</Icon>
           <Arguments />
           <WorkingDirectory />
-           <AppuserModelId>Microsoft.Office.MSACCESS.EXE.16</AppUserModelId>
+           <AppuserModelId>Microsoft.Office.MSACCESS.EXE.15</AppUserModelId>
           <AppUsermodelExcludeFroeShowInNewInstall>true</AppUsermodelExcludeFroeShowInNewInstall>
           <Description>Build a professional app quickly to manage data.</Description>
           <ShowCommand>l</ShowCommand>
@ -760,36 +691,17 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a
 1.  Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
-    **Note**  
+    >**Note** Office App-V packages have two Version IDs:
-    Office App-V packages have two Version IDs:
+    <ul>
-
+    <li>An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.</li>
-    -   An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+    <li>A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.</li>
-
+    </ul>
    -   A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
 2.  Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
 ### <a href="" id="bkmk-manage-office-lic-upgrd"></a>Managing Office 2016 licensing upgrades
 If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
 **How to upgrade an Office 2016 License**
 1.  Unpublish the already deployed Office 2016 Subscription Licensing App-V package.
 2.  Remove the unpublished Office 2016 Subscription Licensing App-V package.
 3.  Restart the computer.
 4.  Add the new Office 2016 App-V Package Volume Licensing.
 5.  Publish the added Office 2016 App-V Package with Volume Licensing.
 An Office 2016 App-V Package with your chosen licensing will be successfully deployed.
 ### <a href="" id="bkmk-deploy-visio-project"></a>Deploying Visio 2016 and Project 2016 with Office
@ -851,28 +763,21 @@ The following table describes the requirements and options for deploying Visio 2
 </tbody>
 </table>
 ## Additional resources
-**Office 2016 App-V Packages Additional Resources**
+[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md)
 [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md)
 [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
 [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680)
 **Office 2013 and Office 2010 App-V Packages**
 [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md)
 [Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md)
 **Connection Groups**
 [Deploying Connection Groups in Microsoft App-V v5](https://go.microsoft.com/fwlink/p/?LinkId=330683)
-[Managing Connection Groups](managing-connection-groups51.md)
+[Managing Connection Groups](managing-connection-groups.md)
 **Dynamic Configuration**
--- a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
+++ b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md
@ -29,7 +29,10 @@ Use the following procedure to view and configure default package extensions.
 5.  To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process.
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+>**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config. For example, changing'<httpRuntime targetFramework="4.5"/> ' to '<httpRuntime targetFramework="4.5" maxRequestLength="8192"/>' will increase the maximum size to 8MB
 **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 ## Related topics
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@ -287,11 +287,6 @@ MBAM supports the following versions of Configuration Manager.
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Microsoft System Center 2012 R2 Configuration Manager</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Microsoft System Center 2012 Configuration Manager</p></td>
 <td align="left"><p>SP1</p></td>
@ -301,13 +296,9 @@ MBAM supports the following versions of Configuration Manager.
 <td align="left"><p>Microsoft System Center Configuration Manager 2007 R2 or later</p></td>
 <td align="left"><p>SP1 or later</p></td>
 <td align="left"><p>64-bit</p>
-<div class="alert">
+
-<strong>Note</strong>  
+>**Note** Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
-<p>Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.</p>
+</td>
 </div>
 <div>
 </div></td>
 </tr>
 </tbody>
 </table>
@ -349,29 +340,15 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p>SP1</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Microsoft SQL Server 2014</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Microsoft SQL Server 2012</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
 <td align="left"><p>SP2</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Microsoft SQL Server 2012</p></td>
 <td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
-<td align="left"><p>SP1</p></td>
+<td align="left"><p>SP3</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Microsoft SQL Server 2008 R2</p></td>
 <td align="left"><p>Standard or Enterprise</p></td>
-<td align="left"><p>SP1, SP2, SP3</p></td>
+<td align="left"><p>SP3</p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>
 </tbody>
--- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
@ -163,6 +163,9 @@ ramdisksdidevice        boot
 ramdisksdipath          \boot\boot.sdi
 ```
 >[!TIP]
 >If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory.  In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. 
 ## PXE boot process summary
 The following summarizes the PXE client boot process.
--- a/windows/deploy/upgrade-analytics-deployment-script.md
+++ b/windows/deploy/upgrade-analytics-deployment-script.md
@ -56,6 +56,8 @@ To run the Upgrade Analytics deployment script:
 4.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
 <div id="error-codes"></div>
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
 <div style='font-size:10.0pt'>
--- a/windows/deploy/windows-10-poc-mdt.md
+++ b/windows/deploy/windows-10-poc-mdt.md
@ -417,12 +417,16 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
    Disable-NetAdapter "Ethernet 2" -Confirm:$false
    ```
    >Wait until the disable-netadapter command completes before proceeding.
 2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
    ```
    New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
    Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
    ```
    >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
 3. Start the new VM and connect to it:
@ -452,24 +456,24 @@ This completes the demonstration of how to deploy a reference image to the netwo
 This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 
-If the PC1 VM is not already running, then start and connect to it:
+1. If the PC1 VM is not already running, then start and connect to it:
    ```
    Start-VM PC1
    vmconnect localhost PC1
    ```
-1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Checkpoint-VM -Name PC1 -SnapshotName BeginState
    ```
-2. Sign on to PC1 using the CONTOSO\Administrator account.
+3. Sign on to PC1 using the CONTOSO\Administrator account.
    >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-3. Open an elevated command prompt on PC1 and type the following:
+4. Open an elevated command prompt on PC1 and type the following:
    ```
    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
@ -477,13 +481,13 @@ If the PC1 VM is not already running, then start and connect to it:
    **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
-4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
-5. Choose **Do not back up the existing computer** and click **Next**.
+6. Choose **Do not back up the existing computer** and click **Next**.
    **Note**: The USMT will still back up the computer.
-6. Lite Touch Installation will perform the following actions:
+7. Lite Touch Installation will perform the following actions:
    - Back up user settings and data using USMT.
    - Install the Windows 10 Enterprise X64 operating system.
    - Update the operating system via Windows Update.
@ -491,15 +495,15 @@ If the PC1 VM is not already running, then start and connect to it:
    You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
-7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
+8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Checkpoint-VM -Name PC1 -SnapshotName RefreshState
    ```
-9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
@ -507,7 +511,7 @@ If the PC1 VM is not already running, then start and connect to it:
    vmconnect localhost PC1
    ```
-10. Sign in to PC1 using the contoso\administrator account.
+11. Sign in to PC1 using the contoso\administrator account.
 ## Replace a computer with Windows 10
@ -557,10 +561,10 @@ At a high level, the computer replace process consists of:<BR>
    ```
 3. Complete the deployment wizard using the following:
    - **Task Sequence**: Backup Only Task Sequence
-    - **User Data**: Specify a location: **\\SRV1\MigData$\PC1**
+    - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
    - **Computer Backup**: Do not back up the existing computer.
 4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.  
-5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
+5. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
 6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
    ```
@ -585,18 +589,24 @@ At a high level, the computer replace process consists of:<BR>
    ```
    Disable-NetAdapter "Ethernet 2" -Confirm:$false
    ```
    >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
 3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
    Start-VM PC3
    vmconnect localhost PC3
    ```
 4. When prompted, press ENTER for network boot.
-6. On PC3, ue the following settings for the Windows Deployment Wizard:
+6. On PC3, use the following settings for the Windows Deployment Wizard:
    - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
    - **Move Data and Settings**: Do not move user data and settings
-    - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1**
+    - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
 5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
    ```
@ -606,7 +616,9 @@ At a high level, the computer replace process consists of:<BR>
 8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
-9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure.
+9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
 10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
 ## Troubleshooting logs, events, and utilities
--- a/windows/deploy/windows-10-poc-sc-config-mgr.md
+++ b/windows/deploy/windows-10-poc-sc-config-mgr.md
@ -163,8 +163,8 @@ Topics and procedures in this guide are summarized in the following table. An es
    adsiedit.msc
    ```
-6. Right-click **ADSI Edit**, click **Connect to**, select **Default** under **Computer** and then click **OK**.
+6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**.
-7. Expand **Default naming context**>**DC=contoso,DC=com**, right-click **CN=System**, point to **New**, and then click **Object**.
+7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**.
 8. Click **container** and then click **Next**.
 9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**.
 10. Right-click **CN=system Management** and then click **Properties**.
@ -194,7 +194,7 @@ Topics and procedures in this guide are summarized in the following table. An es
    - **Settings Summary**: Review settings and click **Next**.
    - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**.
-    >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored.
+    >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
    Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. 
@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es
 ## Download MDOP and install DaRT
-1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host.
+1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
@ -292,19 +292,19 @@ This section contains several procedures to support Zero Touch installation with
 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
 4. On the PXE tab, select the following settings:
-    - Enable PXE support for clients. Click **Yes** in the popup that appears.
+    - **Enable PXE support for clients**. Click **Yes** in the popup that appears.
-    - Allow this distribution point to respond to incoming PXE requests
+    - **Allow this distribution point to respond to incoming PXE requests**
-    - Enable unknown computer support. Click **OK** in the popup that appears.
+    - **Enable unknown computer support**. Click **OK** in the popup that appears.
-    - Require a password when computers use PXE
+    - **Require a password when computers use PXE**
-    - Password and Confirm password: pass@word1
+    - **Password** and **Confirm password**: pass@word1
-    - Respond to PXE requests on specific network interfaces: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
+    - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
    See the following example:
    <img src="images/sccm-pxe.png" alt="Config Mgr PXE"/>
 5. Click **OK**.
-6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
    ```
    cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
@ -340,7 +340,7 @@ This section contains several procedures to support Zero Touch installation with
    >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-## Create a boot image for Configuration Manager 
+### Create a boot image for Configuration Manager 
 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
 2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
@ -357,13 +357,15 @@ This section contains several procedures to support Zero Touch installation with
    ```
    Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
    ```
    >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-        ```
+    In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-        STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003"	SMS_DISTRIBUTION_MANAGER	9/14/2016 3:11:09 PM	4636 (0x121C)
+
-        ```
+    ```
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+    STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003"	SMS_DISTRIBUTION_MANAGER	9/14/2016 3:11:09 PM	4636 (0x121C)
-12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
+    ```
 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
 12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
@ -380,7 +382,7 @@ This section contains several procedures to support Zero Touch installation with
    >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-## Create a Windows 10 reference image
+### Create a Windows 10 reference image
 If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
@ -534,7 +536,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. 
-## Add a Windows 10 operating system image
+### Add a Windows 10 operating system image
 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
@ -553,11 +555,11 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**.
-7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
+7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
    >If content distribution is not successful, verify that sufficient disk space is available.
-## Create a task sequence
+### Create a task sequence
 >Complete this section slowly. There are a large number of similar settings from which to choose.
@ -567,37 +569,37 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**.
-4. On the Details page, enter the following settings:<BR>
+4. On the Details page, enter the following settings:
-    - Join a domain: contoso.com<BR>
+    - Join a domain: **contoso.com**
-    - Account: click **Set**<BR>
+    - Account: click **Set**
-        - User name: contoso\CM_JD<BR>
+        - User name: **contoso\CM_JD**
-        - Password: pass@word1<BR>
+        - Password: **pass@word1**
-        - Confirm password: pass@word1<BR>
+        - Confirm password: **pass@word1**
-        - Click **OK**<BR>
+        - Click **OK**
-    - Windows Settings<BR>
+    - Windows Settings
-        - User name: Contoso<BR>
+        - User name: **Contoso**
-        - Organization name: Contoso<BR>
+        - Organization name: **Contoso**
-        - Product key: \<blank\><BR>
+        - Product key: \<blank\>
-    - Administrator Account: Enable the account and specify the local administrator password<BR>
+    - Administrator Account: **Enable the account and specify the local administrator password**
-        - Password: pass@word1<BR>
+        - Password: **pass@word1**
-        - Confirm password: pass@word1<BR>
+        - Confirm password: **pass@word1**
-    - Click Next<BR>
+    - Click **Next**
 5. On the Capture Settings page, accept the default settings and click **Next**.
-6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**.
+6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**.
-7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**.
+7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**.
-8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**.
+8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**.
-9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**.
+9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**.
 10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**.
-11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**.
+11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**.
-12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**.
+12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**.
 13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**.
@ -640,7 +642,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
    - Click **OK**<BR>.
-## Finalize the operating system configuration
+### Finalize the operating system configuration
 >If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1.  In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini.
@ -681,6 +683,14 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
    EventService=http://SRV1:9800
    ApplyGPOPack=NO
    ```
    >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts:
    ```
    OSDMigrateAdditionalCaptureOptions=/all
    ```
 7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears.
 8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**.
@ -705,6 +715,8 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 ## Deploy Windows 10 using PXE and Configuration Manager
 In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings.
 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
    ```
@ -718,7 +730,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
 3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**.
-4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
+4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. 
@ -745,6 +757,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
    - Join the computer to the contoso.com domain
    - Install any applications that were specified in the reference image
 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
 13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image.
@ -927,7 +940,7 @@ vmconnect localhost PC1
    - Task sequence comments: **USMT backup only**
 4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue.
-5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue.
+5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue.
 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue.
 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue.
 8. On the Summary page, review the details and then click **Next**.
--- a/windows/keep-secure/bitlocker-countermeasures.md
+++ b/windows/keep-secure/bitlocker-countermeasures.md
@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI
 Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
-The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
+Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
 Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps.
 To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
 With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
 ELAM classifies drivers as follows:
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@ -45,14 +45,14 @@ You can use System Center Configuration Manager’s existing functionality to cr
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
+3. Onboard your devices using SCCM by following the steps in the  [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic.
 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
    a. Choose a predefined device collection to deploy the package to.
 > [!NOTE]
-> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
+> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
 ### Configure sample collection settings
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -85,7 +85,7 @@ Applications may cause performance issues when they attempt to hook the isolated
 The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
 > [!NOTE]  
-> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.<br>
 > If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
 > Starting in Widows 10, 1607, TPM 2.0 is required.
@ -94,11 +94,11 @@ The following tables provide more information about the hardware, firmware, and
 |Baseline Protections                   | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
 | Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
 | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
 | Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
 > [!IMPORTANT]
 > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide.
@ -108,8 +108,8 @@ The following tables provide more information about the hardware, firmware, and
 | Protections for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR implementation**  |  **Requirement**: Secure MOR implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Firmware: **Secure MOR, revision 2 implementation**  |  **Requirement**: Secure MOR, revision 2 implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
 <br>
@ -120,17 +120,20 @@ The following tables provide more information about the hardware, firmware, and
 | Protections for Improved Security         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI provides additional security assurance for correctly secured silicon and platform. |
 | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>• Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 <br>
-#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) 
+#### 2017 Additional security requirements starting with Windows 10, version 1703 
 The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. 
 | Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
 | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
 ## Manage Credential Guard
@ -178,11 +181,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 1.  Open an elevated command prompt.
 2.  Add the Hyper-V Hypervisor by running the following command:
-    ``` syntax
+    ```
    dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
    ```
 3. Add the Isolated User Mode feature by running the following command:
-    ``` syntax
+    ```
    dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
    ```
@ -211,7 +214,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 ```
-DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
+DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
 ```
 #### Credential Guard deployment in virtual machines
@ -280,7 +283,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua
 You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 ```
-DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
+DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
 ```
 ### Check that Credential Guard is running
@ -298,7 +301,7 @@ You can use System Information to ensure that Credential Guard is running on a P
 You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 ```
-DG_Readiness_Tool_v2.0.ps1 -Ready
+DG_Readiness_Tool_v3.0.ps1 -Ready
 ```
 ## Considerations when using Credential Guard
@ -314,7 +317,7 @@ DG_Readiness_Tool_v2.0.ps1 -Ready
    -   **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
    You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
    -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-   Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, Microsoft Passport, or Microsoft Passport for Work.
+-   Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
 -   Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
 -   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
--- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@ -14,7 +14,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
-Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see:
+Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see:
 - [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
 - [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure
 This topic includes the following sections:
 - [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
+- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy.
 - [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
 - [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
@ -31,7 +31,7 @@ This topic includes the following sections:
 A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
+> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **&lt;EFI System Partition&gt;\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies.
 Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au
 To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
-   To enable UMCI, add rule option 0 to an existing policy by running the following command:
+-   To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
    ` Set-RuleOption -FilePath <Path to policy> -Option 0`
    Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. 
 -   To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
    ` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
--- a/windows/keep-secure/deploy-code-integrity-policies-steps.md
+++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md
@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e
    > **Notes**
-    > - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:<br>**Set-RuleOption -FilePath $InitialCIPolicy -Option 0** 
+    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
-    > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
+    > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
-    > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
+    > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
    > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@ -30,10 +30,10 @@ For information about enabling Credential Guard, see [Protect derived domain cre
 In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS:
- With Windows 10, version 1607 or Windows Server 2016:<br> 
+- Beginning with Windows 10, version 1607 or Windows Server 2016:<br> 
 Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br> 
+- With an earlier version of Windows 10:<br> 
 Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
 > **Note**&nbsp;&nbsp;You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.
@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
 **Figure 1. Enable operating system features for VBS, Windows 10, version 1511**
 After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.
 ## Enable Virtualization Based Security (VBS) and Device Guard
 Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
 There are multiple ways to configure VBS features for Device Guard: 
 - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic.
@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard:
 3.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-4.  Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
+4.  Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
    ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png)
@ -91,7 +87,7 @@ There are multiple ways to configure VBS features for Device Guard:
    - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
-    - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
+    - With earlier versions of Windows 10:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
    ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
@ -183,7 +179,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
 ```
 If you want to customize the preceding recommended settings, use the following settings.
@ -211,7 +207,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc
 **To enable virtualization-based protection of Code Integrity policies without UEFI lock**
 ``` command
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
 ```
 ### Validate enabled Device Guard hardware-based security features
--- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
@ -22,9 +22,9 @@ This policy setting determines whether the Lightweight Directory Access Protocol
 Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult.
-This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.
+This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636).
-If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.
+If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
 >**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
--- a/windows/keep-secure/hello-errors-during-pin-creation.md
+++ b/windows/keep-secure/hello-errors-during-pin-creation.md
@ -89,7 +89,7 @@ If the error occurs again, check the error code against the following table to s
 <tr class="odd">
 <td align="left">0x80090035</td>
 <td align="left">Policy requires TPM and the device does not have TPM.</td>
-<td align="left">Change the Passport policy to not require a TPM.</td>
+<td align="left">Change the Windows Hello for Business policy to not require a TPM.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C0003</td>
@ -149,7 +149,7 @@ If the error occurs again, check the error code against the following table to s
 <tr class="odd">
 <td align="left">0x801C03EA</td>
 <td align="left">Server failed to authorize user or device.</td>
-<td align="left">Check if the token is valid and user has permission to register Passport keys.</td>
+<td align="left">Check if the token is valid and user has permission to register Windows Hello for Business keys.</td>
 </tr>
 <tr class="even">
 <td align="left">0x801C03EB</td>
--- a/windows/keep-secure/hello-identity-verification.md
+++ b/windows/keep-secure/hello-identity-verification.md
@ -113,9 +113,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
 [Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
+[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
 [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
 ## Related topics
--- a/windows/keep-secure/hello-manage-in-organization.md
+++ b/windows/keep-secure/hello-manage-in-organization.md
@ -352,7 +352,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
 <li>Azure AD subscription</li>
 <li>[Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
 <li>AD CS with NDES</li>
-<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
+<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business</li>
 </ul></td>
 </tr>
 </tbody>
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@ -32,7 +32,7 @@ A password is transmitted to the server -- it can be intercepted in transmission
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
 >[!NOTE]
->For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
+>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).
 ## PIN is backed by hardware
--- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@ -61,7 +61,7 @@ For VPN, the following types of credentials will be added to credential manager
    - TPM KSP Certificate
    - Software KSP Certificates
    - Smart Card Certificate
-    - Passport for Work Certificate
+    - Windows Hello for Business Certificate
 The username should also include a domain that can be reached over the connection (VPN or WiFi). 
--- a/windows/keep-secure/images/device-guard-gp.png
+++ b/windows/keep-secure/images/device-guard-gp.png
--- a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
+++ b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@ -42,19 +42,19 @@ You can deploy Device Guard in phases, and plan these phases in relation to the
 The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
 > **Notes**
-> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).<br>
-> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. 
 ## Device Guard requirements for baseline protections
 |Baseline Protections - requirement           | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
 | Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
 | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
 | Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
 | Software: **HVCI compatible drivers**       | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
 > **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
@ -62,32 +62,34 @@ The following tables provide more information about the hardware, firmware, and
 The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
-### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
+### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
 | Protections for Improved Security - requirement         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
 <br>
-### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
+### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
 > **Important**&nbsp;&nbsp;The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
 | Protections for Improved Security - requirement         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). <br><br>**Security benefits**:<br>• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
 | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>• Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 <br>
-### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) 
+### Additional Qualification Requirements starting with Windows 10, version 1703 
-| Protections for Improved Security - requirement         | Description                                        |
+The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. 
 | Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Firmware: **UEFI NX Protections**  | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
 ## Device Guard deployment in different scenarios: types of devices
@ -95,9 +97,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being
 | **Type of device**                 | **How Device Guard relates to this type of device**  | **Device Guard components that you can use to protect this kind of device**    |
 |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.<br><br>- Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.<br><br>• Code integrity policies in enforced mode, with UMCI enabled. |
-| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.<br>Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>- Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.<br>Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>• Code integrity policies in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
+| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
 | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | 
 ## Device Guard deployment in virtual machines
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@ -162,6 +162,7 @@
 ### [Troubleshooting App-V](appv-troubleshooting.md)
 ### [Technical Reference for App-V](appv-technical-reference.md)
 #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
 #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
 #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
 #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
@ -221,4 +222,5 @@
 #### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
 #### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
 ### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
 ## [Windows Libraries](windows-libraries.md)
 ## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | New or changed topic | Description |
 | --- | --- |
 | [Windows Libraries](windows-libraries.md) | New |
 | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
 | [Get started with Update Compliance](update-compliance-get-started.md) | New |
 | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
--- a/windows/manage/cortana-at-work-o365.md
+++ b/windows/manage/cortana-at-work-o365.md
@ -57,7 +57,7 @@ Cortana can only access data in your Office 365 org when it’s turned on. If yo
 **To turn off Cortana with Office 365**
 1.	[Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
-2.	Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
+2.	Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
 3.	Expand **Service Settings**, and select **Cortana**.
--- a/windows/manage/cortana-at-work-overview.md
+++ b/windows/manage/cortana-at-work-overview.md
@ -59,6 +59,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro
 - [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384)
- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US)
+- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10)
 - [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
--- a/windows/manage/cortana-at-work-powerbi.md
+++ b/windows/manage/cortana-at-work-powerbi.md
@ -19,7 +19,7 @@ localizationpriority: high
 Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
 >[!Note]
->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
+>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
 ## Before you begin
 To use this walkthrough, you’ll need:
@ -135,4 +135,4 @@ Now that you’ve set up your device, you can use Cortana to show your info from
    ![Cortana at work, showing your custom report from Power BI](images/cortana-powerbi-myreport.png)
 >[!NOTE]
->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
+>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
--- a/windows/manage/cortana-at-work-voice-commands.md
+++ b/windows/manage/cortana-at-work-voice-commands.md
@ -19,7 +19,7 @@ localizationpriority: high
 Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
 >[!NOTE]
->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions).
+>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted).
 ## High-level process
 Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
@ -30,9 +30,9 @@ To enable voice commands in Cortana
    Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
-    - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana).
+    - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
-    - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana).
+    - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
 2.	**Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md
@ -28,7 +28,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
 | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md)  |
 | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
 | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) |
-| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) |
+| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) |
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.
 <td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
 <td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>[Windows Libraries](windows-libraries.md)</p></td>
 <td align="left"><p>Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
 <td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@ -32,14 +32,53 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows
 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. 
- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
+You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
+In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
-Several Delivery Optimization features are configurable.
+Several Delivery Optimization features are configurable:
-<span id="download-mode"/>
+| Group Policy setting | MDM setting |
 | --- | --- |
 | [Download mode](#download-mode) | DODownloadMode |
 | [Group ID](#group-id)  | DOGroupID |
 | [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
 | [Max Cache Size](#max-cache-size)  | DOMaxCacheSize |
 | [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
 | [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
 | [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
 | [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
 | [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
 | [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
 | [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
-### Download mode (DODownloadMode)
+When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
 While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior.
 [Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
 Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario:
 - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
 - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
 - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
 >[!NOTE]
 >It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
 There are additional options available to robustly control the impact Delivery Optimization has on your network:
 - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
 - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
 - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
 - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
 ### How Microsoft uses Delivery Optimization
 In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
 For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
 Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings.
 ### Download mode
 Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers.  The following table shows the available download mode options and what they do.
@ -55,176 +94,51 @@ Download mode dictates which download sources clients are allowed to use when do
 >[!NOTE]
 >Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
-### Group ID (DOGroupID)
+### Group ID
 By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. 
 >[!NOTE]
 >This configuration is optional and not required for most implementations of Delivery Optimization.
-### Max Cache Age (DOMaxCacheAge)
+### Max Cache Age
 In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
-### Max Cache Size (DOMaxCacheSize)
+### Max Cache Size
 This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
-### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
+### Absolute Max Cache Size
 This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
-### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
+### Maximum Download Bandwidth
 This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
-### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+### Percentage of Maximum Download Bandwidth
 This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-### Max Upload Bandwidth (DOMaxUploadBandwidth)
+### Max Upload Bandwidth
 This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
-### Minimum Background QoS (DOMinBackgroundQoS)
+### Minimum Background QoS
 This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
-### Modify Cache Drive (DOModifyCacheDrive)
+### Modify Cache Drive
 This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
-### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
+### Monthly Upload Data Cap
 This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
-## Delivery Optimization configuration examples
+<span id="set-preferred-cache-devices"/>
-
+## Set “preferred” cache devices for Delivery Optimization
 Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section.  The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
 ### Use Delivery Optimzation with group download mode
 Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link.  Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
 **To use Group Policy to configure Delivery Optimization for group download mode**
 1.	Open Group Policy Management Console (GPMC).
 2.	Expand Forest\Domains\\*Your_Domain*.
 3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
 4.	In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**.
 5.	Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**.
 6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
 7.	Right-click the **Download Mode** setting, and then click **Edit**.
 8.	Enable the policy, and then select the **Group** download mode.
 9.	Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
 10.	Click **OK**, and then close the Group Policy Management Editor.
 11.	In GPMC, select the **Delivery Optimization – Group** policy.
 12.	On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
 **To use Intune to configure Delivery Optimization for group download mode**
 1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
 5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
 6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
 7. In the **Value** box, type **2**, and then click **OK**.
    >[!NOTE]
    >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
 8. Click **Save Policy**.
 9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
    >[!NOTE]
    >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
 10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
 ### Use WSUS and BranchCache with Windows 10, version 1511
 In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates.  For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
 **To use Group Policy to configure HTTP only download mode**
 1.	Open Group Policy Management Console (GPMC).
 2.	Expand Forest\Domains\\*Your_Domain*.
 3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
 4.	In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**.
 5.	Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**.
 6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
 7.	Right-click the **Download Mode** setting, and then click **Edit**.
 8.	Enable the policy, and then select the **HTTP only** download mode.
 9.	Click **OK**, and then close the Group Policy Management Editor.
 10.	In GPMC, select the **Delivery Optimization – HTTP Only** policy.
 11.	On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
    ![example of UI](images/waas-do-fig4.png)
    >[!NOTE]
    >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
 ### Use WSUS and BranchCache with Windows 10, version 1607
 In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
 **To use Group Policy to enable the Bypass download mode**
 1.	Open Group Policy Management Console (GPMC).
 2.	Expand Forest\Domains\\*Your_Domain*.
 3.	Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
 4.	In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**.
 5.	Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**.
 6.	In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
 7.	Right-click the **Download Mode** setting, and then click **Edit**.
 8.	Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
 9.	Click **OK**, and then close the Group Policy Management Editor.
 10.	In GPMC, select the **Delivery Optimization – Bypass** policy.
 11.	On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
    >[!NOTE]
    >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
 ### Set “preferred” cache devices for Delivery Optimization
 In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content).
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@ -40,9 +40,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 >[!NOTE]
->Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases.
+>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
 >
->In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx).
+>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
 ## Express update delivery
--- a/windows/plan/windows-10-infrastructure-requirements.md
+++ b/windows/plan/windows-10-infrastructure-requirements.md
@ -43,6 +43,8 @@ For System Center Configuration Manager, Windows 10 support is offered with var
 | System Center Configuration Manager 2012    | Yes, with SP2 and CU1  | Yes, with SP2, CU1, and the ADK for Windows 10 |
 | System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1  | Yes, with SP1, CU1, and the ADK for Windows 10 |
 >Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management. 
 For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).