diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index d34abc564c..4658a2f02b 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,6 +1,6 @@
{
"build_entry_point": "",
- "need_generate_pdf": true,
+ "need_generate_pdf": false,
"need_generate_intellisense": false,
"docsets_to_publish": [
{
@@ -31,7 +31,7 @@
"build_output_subfolder": "devices/hololens",
"locale": "en-us",
"version": 0,
- "open_to_public_contributors": false,
+ "open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
@@ -93,6 +93,20 @@
"type_mapping": {
"Conceptual": "Content"
}
+ },
+ {
+ "docset_name": "smb",
+ "build_source_folder": "smb",
+ "build_output_subfolder": "smb",
+ "locale": "en-us",
+ "version": 0,
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "op"
}
],
"notification_subscribers": [
@@ -104,5 +118,6 @@
"git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs",
"git_repository_branch_open_to_public_contributors": "master",
"skip_source_output_uploading": false,
- "dependent_repositories": []
+ "dependent_repositories": [],
+ "need_generate_pdf_url_template": false
}
\ No newline at end of file
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 29090e5faa..d2f29d473e 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -21,7 +21,11 @@ localizationpriority: high
Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
-
**Note** This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+> **Note** This content isn't meant to be a step-by-step guide, so not everything that's talked about in this guide will be necessary for you to manage and deploy Microsoft Edge in your company.
+
+
+> **Note** For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892).
## In this section
@@ -54,7 +58,9 @@ You'll need to keep running them using IE11. If you don't have IE11 installed an
## Related topics
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644)
- [Internet Explorer 11 - FAQ for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760645)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
+
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c7e1e2fcd2..7cd01e0f86 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -19,7 +19,9 @@ localizationpriority: high
Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
-
**Note** For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
+
+> **Note**
+> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
## Group Policy settings
Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
@@ -39,7 +41,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
|Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.
If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.
**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. |
|Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.
If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.
**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. |
|Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on.
If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off.
If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on.
If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter.
**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
**Disabled:** Turns off SmartScreen Filter. |
-|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.
If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. |**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured. If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.
**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List. |
+|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.
If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.
**Note** If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.
If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.
**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
|Prevent access to the about:flags page |Windows 10 Insider Preview |This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
If you enable this policy setting, employees can’t access the about:flags page.
If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.
**Disabled or not configured (default):** Lets employees use the about:flags page. |
|Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files.
If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files.
If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files.
**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. |
|Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites.
If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site.
If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites.
**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. |
@@ -50,7 +52,8 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
-
**Note** The **Supports** column uses these options:
+> **Note**
+> The **Supports** column uses these options:
- **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
@@ -71,18 +74,18 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
|AllowInPrivate |Windows 10, Version 1511 or later |Both |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate
**Data type.** Integer
**Allowed values:**
**0.** Employees can’t use InPrivate browsing.
**1 (default).** Employees can use InPrivate browsing.
|
|AllowPasswordManager |Windows 10 or later |Both |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
**Data type.** Integer
**Allowed values:**
**0 (default).** Employees can't use Password Manager to save passwords locally.
**1.** Employees can use Password Manager to save passwords locally.
|
|AllowPopups |Windows 10 or later |Desktop |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
**Data type.** Integer
**Allowed values:**
**0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.
**1.** Turns on Pop-up Blocker, stopping pop-up windows.
|
-|AllowSearchSuggestionsinAddressBar |Windows 10 or later |Both |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar
**Data type.** Integer
**Allowed values:**
**0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
**1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
|
+|AllowSearchSuggestions inAddressBar |Windows 10 or later |Both |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar
**Data type.** Integer
**Allowed values:**
**0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.
**1.** Employees can see search suggestions in the Address bar of Microsoft Edge.
|
|AllowSmartScreen |Windows 10 or later |Both |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
**Data type.** Integer
**Allowed values:**
**0 (default).** Turns off SmartScreen Filter.
**1.** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.
|
-|EnterpriseModeSiteList |Windows 10 or later |Desktop |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
**Data type.** String
**Allowed values:**
Not configured.
**1 (default).** Use the Enterprise Mode Site List, if configured.
**2.** Specify the location to the site list.
|
+|EnterpriseModeSiteList |Windows 10 or later |Desktop |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
**Data type.** String
**Allowed values:**
Not configured.
**1 (default).** Use the Enterprise Mode Site List, if configured.
**2.** Specify the location to the site list.
**Note** If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
|
|Favorites |Windows 10, Version 1511 or later |Both |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites
**Data type.** String
**Allowed values:**
Configure the **Favorite** URLs for your employees.
**Example:** `` ``
**Note** URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
|
|FirstRunURL |Windows 10, Version 1511 or later |Mobile |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL
**Data type.** String
**Allowed values:**
Configure the first run URL for your employees.
**Example:** ``
|
|HomePages |Windows 10, Version 1511 or later |Desktop |
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
**Data type.** Integer
**Allowed values:**
**0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
**1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
|
## Microsoft Edge and Windows 10-specific Group Policy settings
These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 61e8ba0de9..f188b5e0ee 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -4,6 +4,7 @@ description: This topic lists new and updated topics in the Microsoft Edge docum
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
+localizationpriority: high
---
# Change history for Microsoft Edge
@@ -11,6 +12,15 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.|
+|[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. |
+|[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. |
+|[Microsoft Edge - Deployment Guide for IT Pros](index.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. |
+|[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. |
+
## July 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index 4d6bfce510..1f3cf5ea43 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -19,13 +19,15 @@ localizationpriority: high
If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
-
**Note** If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
+
+> **Note**
+>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
## Fix specific websites
Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and need IE11, you can add them to the Enterprise Mode site list, using the Enterprise Mode Site List Manager.
- **To add sites to your list**
+**To add sites to your list**
1. In the Enterprise Mode Site List Manager, click **Add**.
If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](https://go.microsoft.com/fwlink/p/?LinkId=618322).
@@ -43,7 +45,10 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip
You must turn on the **Use Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
- **To turn on Enterprise Mode using Group Policy**
+> **Note**
+> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+**To turn on Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Allows you to configure the Enterprise Mode Site list** setting.
Turning this setting on also requires you to create and store a site list.
@@ -51,7 +56,7 @@ You must turn on the **Use Enterprise Mode Site List** Group Policy setting befo
3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.
The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
- **To turn on Enterprise Mode using the registry**
+**To turn on Enterprise Mode using the registry**
1. **To turn on Enterprise Mode for all users on the PC:** Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`.
@@ -70,11 +75,15 @@ You must turn on the **Use Enterprise Mode Site List** Group Policy setting befo
## Fix your intranet sites
You can add the **Send all intranet traffic over to Internet Explorer** Group Policy setting for Windows 10 so that all of your intranet sites open in IE11. This means that even if your employees are using Microsoft Edge, they will automatically switch to IE11 while viewing the intranet.
-
**Note** If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
- **To turn on Sends all intranet traffic over to Internet Explorer using Group Policy**
+> **Note**
+> If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
-1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting.
+**To turn on Sends all intranet traffic over to Internet Explorer using Group Policy**
+
+1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting.
+
+ 
2. Click **Enabled**.
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index a3dcf46f40..4cabfa693f 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -25,6 +25,12 @@ Microsoft Edge is the default browser experience for Windows 10 and Windows 10 M
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
+If you're having trouble deciding whether Microsoft Edge is good for your organization, you can take a look at this infographic about the potential impact of using Microsoft Edge in an organization.
+
+
+[Click to enlarge](img-microsoft-edge-infographic-lg.md)
+[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+
### Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@@ -44,9 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics
+- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
\ No newline at end of file
diff --git a/browsers/edge/images/img-microsoft-edge-infographic-lg.png b/browsers/edge/images/img-microsoft-edge-infographic-lg.png
new file mode 100644
index 0000000000..3f66d66901
Binary files /dev/null and b/browsers/edge/images/img-microsoft-edge-infographic-lg.png differ
diff --git a/browsers/edge/images/microsoft-edge-infographic-sm.png b/browsers/edge/images/microsoft-edge-infographic-sm.png
new file mode 100644
index 0000000000..1794540e5c
Binary files /dev/null and b/browsers/edge/images/microsoft-edge-infographic-sm.png differ
diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md
new file mode 100644
index 0000000000..59c2c7a8e8
--- /dev/null
+++ b/browsers/edge/img-microsoft-edge-infographic-lg.md
@@ -0,0 +1,10 @@
+---
+description: A full-sized view of the Microsoft Edge infographic.
+title: Full-sized view of the Microsoft Edge infographic
+---
+
+Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
+Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+
+
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index fdd8ac9361..1949a24903 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -11,6 +11,11 @@ ms.sitesec: library
# Change history for Internet Explorer 11
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
+## November 2016
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Updated the DocMode reason section to correct Code 8 and to add Code 9.|
+
## August 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 5228460e99..d4e3ae973c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -83,7 +83,8 @@ The codes in this table can tell you what document mode was set by IE for a webp
|5 |Page is using an X-UA-compatible HTTP header. |
|6 |Page appears on an active **Compatibility View** list. |
|7 |Page is using native XML parsing. |
-|9 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|9 |Page state is set by the browser mode and the page's DOCTYPE.|
#### Browser state reason
The codes in this table can tell you why the browser is in its current state. Also called “browser mode”. These codes only apply to Internet Explorer 10 and Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index 78978d8119..fbd10a4080 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -20,8 +20,8 @@ Included examples:
- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
-- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-IP-address)
-- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-IP-address-matches-the-specified-IP-address)
+- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
+- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index c9e24043a1..79a0d7af08 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -6,6 +6,7 @@ ms.prod: IE11
title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
ms.sitesec: library
+localizationpriority: low
---
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 8b4c888244..38959bbbb4 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1 +1,8 @@
-# [Placeholder](index.md)
\ No newline at end of file
+# [Microsoft HoloLens](index.md)
+## [HoloLens in the enterprise: requirements](hololens-requirements.md)
+## [Set up HoloLens](hololens-setup.md)
+## [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md)
+## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
+## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
+## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
+## [Install apps on HoloLens](hololens-install-apps.md)
\ No newline at end of file
diff --git a/devices/hololens/hololens-checklist.md b/devices/hololens/hololens-checklist.md
deleted file mode 100644
index d1eb5f80d4..0000000000
--- a/devices/hololens/hololens-checklist.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Checklist for HoloLens in the enterprise (HoloLens)
-description: tbd
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: hololens, devices
-ms.sitesec: library
-author: jdeckerMS
----
-
-# Checklist: HoloLens in the enterprise
-
-[Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers)
-
-
-Windows Store for Business
-
-Requirements
-
-- IT Admins: Before you sign up for the Store for Business, at a minimum, you'll need an Azure Active Directory (AAD) account for your organization, and you'll need to be the global administrator for your organization. Once the Global Admin has signed in, they can give permissions to other employees.
-- End Users: Need Azure AD account when they access Store for Business content from Windows-based devices.
-
-[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
-
-[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
-
-[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
-
-[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
-
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
new file mode 100644
index 0000000000..24912f3416
--- /dev/null
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -0,0 +1,38 @@
+---
+title: Enroll HoloLens in MDM (HoloLens)
+description: Enroll HoloLens in mobile device management (MDM) for easier management of multiple devices.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Enroll HoloLens in MDM
+
+You can manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+
+>[!NOTE]
+>Mobile device management (MDM) for Development Edition HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
+
+
+## Requirements
+ Your organization will need to have mobile device management (MDM) set up in order to manage HoloLens devices. Your MDM provider can be Microsoft Intune or a 3rd party provider that uses Microsoft MDM APIs.
+
+## Auto-enrollment in MDM
+
+If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and Airwatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
+
+When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.
+
+## Enroll through Settings app
+
+ When the device is not enrolled in MDM during the first-run experience, the user can manually enroll the device with the organization's MDM server using the Settings app.
+
+1. Go to **Settings** > **Accounts** > **Work access**.
+
+2. Select **Enroll into device management** and enter your organizational account. You will be redirected to your organization's sign in page.
+
+4. Upon successful authentication to the MDM server, a success message is shown.
+
+Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.
\ No newline at end of file
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
new file mode 100644
index 0000000000..e5298640a5
--- /dev/null
+++ b/devices/hololens/hololens-install-apps.md
@@ -0,0 +1,86 @@
+---
+title: Install apps on HoloLens (HoloLens)
+description: The recommended way to install apps on HoloLens is to use Windows Store for Business.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Install apps on HoloLens
+
+The recommended way to install Universal Windows Platform (UWP) apps on HoloLens is to use Windows Store for Business. You can make your own [line-of-business application](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps) available through Windows Store for Business.
+
+You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
+
+>[!IMPORTANT]
+ >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.** Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+
+## Use Windows Store for Business to deploy apps to HoloLens
+
+Windows Store for Business is a private Windows Store for your enterprise. People in your organization can open the Store app and select your private Store to install apps that you have made available to them.
+
+
+
+In your Windows Store for Business dashboard, you can also download apps to distribute to devices that aren't connected to the Internet, plus add line-of-business (LOB) apps for distribution.
+
+### Requirements
+
+- You need to be a global administrator for your Azure Active Directory (Azure AD) tenant.
+
+ >[!TIP]
+ >You can create an Azure AD account and tenant as part of the Store for Business sign-up process.
+
+- End users need Azure AD accounts when they access Store for Business content from Windows-based devices.
+
+### Windows Store for Business process
+
+1. [Sign up for Windows Store for Business.](https://technet.microsoft.com/itpro/windows/manage/sign-up-windows-store-for-business)
+2. [Assign roles and permissions for managing your Store for Business.](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
+3. (Optional) [Configure Windows Store for Business to work with your MDM provider.](https://technet.microsoft.com/itpro/windows/manage/configure-mdm-provider-windows-store-for-business)
+3. [Get apps for your Store for Business.](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business)
+4. [Distribute apps to your employees.](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-to-your-employees-windows-store-for-business)
+
+### Install apps on HoloLens from Windows Store for Business
+
+The method that you use to install an app from your Windows Store for Business on HoloLens depends on the the distribution method that you choose.
+
+| Distribution method | To install on HoloLens|
+| --- | --- |
+| Using private store | Open the Store app and select the tab for your organization to choose from available apps. |
+| Using MDM | [You can configure MDM to synchronize your Store for Business inventory.](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool) |
+
+
+
+## Use MDM to deploy apps to HoloLens
+
+You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps).
+
+Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune).
+
+
+## Use the Windows Device Portal to install apps on HoloLens.
+
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+
+3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+
+ >[!TIP]
+ >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate).
+
+4. In the Windows Device Portal, click **Apps**.
+
+ 
+
+5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**.
+
+6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
+
+
+
+
+
+
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
new file mode 100644
index 0000000000..df5b610c5a
--- /dev/null
+++ b/devices/hololens/hololens-kiosk.md
@@ -0,0 +1,37 @@
+---
+title: Set up HoloLens in kiosk mode (HoloLens)
+description: Kiosk mode limits the user's ability to launch new apps or change the running app.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up HoloLens in kiosk mode
+
+
+
+Kiosk mode limits the user's ability to launch new apps or change the running app. When kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings.
+
+1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
+
+ >[!IMPORTANT]
+ >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+
+2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
+
+3. [Create a user name and password](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
+
+ >[!TIP]
+ >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#security_certificate).
+
+4. In the Windows Device Portal, click **Kiosk Mode**.
+
+ 
+
+ >[!NOTE]
+ >The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has an [Enterprise license](hololens-upgrade-enterprise.md).
+
+5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
+
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
new file mode 100644
index 0000000000..94024a8e86
--- /dev/null
+++ b/devices/hololens/hololens-provisioning.md
@@ -0,0 +1,120 @@
+---
+title: Configure HoloLens using a provisioning package (HoloLens)
+description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Configure HoloLens using a provisioning package
+
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages.
+
+Some of the HoloLens configurations that you can apply in a provisioning package:
+- Upgrade to Windows Holographic Enterprise
+- Set up a local account
+- Set up a Wi-Fi connection
+- Apply certificatess to the device
+
+To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+
+When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+
+
+
+> [!NOTE]
+> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features.
+
+
+## Create a provisioning package for HoloLens
+
+>[!NOTE]
+>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic Enterprise or if [the device has already been upgraded to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
+
+1. On the Windows ICD start page, select **Advanced provisioning**.
+
+2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
+
+3. Click **Next**.
+
+4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then click **Next**.
+
+6. Click **Finish**.
+
+7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
+
+ >[!IMPORTANT]
+ >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery).
+
+8. On the **File** menu, click **Save**.
+
+4. Read the warning that project files may contain sensitive information, and click **OK**.
+
+ >[!IMPORTANT]
+ >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+
+5. Set a value for **Package Version**.
+
+ >[!TIP]
+ >You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. On the **Select security details for the provisioning package**, click **Next**.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+
+ Optionally, you can click Browse to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+
+10. When the build completes, click **Finish**.
+
+
+## Apply a provisioning package to HoloLens
+
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of OOBE (the first page with the blue box).
+
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
+
+3. HoloLens will show up as a device in File Explorer on the PC.
+
+4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
+
+5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
+
+6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
+
+>[!NOTE]
+>If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+
+## What you can configure
+
+Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
+
+In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens.
+
+
+
+| Setting | Description |
+| --- | --- |
+| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.
**IMPORTANT** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
+| **Certificates** | Deploy a certificate to HoloLens. |
+| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
+| **EditionUpgrade** | [Upgrade to Windows Holographic Enterprise.](hololens-upgrade-enterprise.md) |
+| **Policies** | Allow or prevent developer mode on HoloLens. |
+
+>[!NOTE]
+>App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
+
+
+
+
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
new file mode 100644
index 0000000000..959a0c2402
--- /dev/null
+++ b/devices/hololens/hololens-requirements.md
@@ -0,0 +1,54 @@
+---
+title: HoloLens in the enterprise requirements (HoloLens)
+description: Requirements for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Microsoft HoloLens in the enterprise: requirements
+
+When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/holographic/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
+
+## General use
+- Microsoft account or Azure Active Directory (Azure AD) account
+- Wi-Fi network to set up HoloLens
+
+>[!NOTE]
+>After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
+
+
+## Supported wireless network EAP methods
+- PEAP-MS-CHAPv2
+- PEAP-TLS
+- TLS
+- TTLS-CHAP
+- TTLS-CHAPv2
+- TTLS-MS-CHAPv2
+- TTLS-PAP
+- TTLS-TLS
+
+## Device management
+ - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
+ - Wi-Fi network
+ - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
+
+## Upgrade to Windows Holographic Enterprise
+- HoloLens Enterprise license XML file
+
+
+
+
+
+## Related resources
+
+[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
+
+[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
+
+[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
+
+[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
+
diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md
new file mode 100644
index 0000000000..134a4bd36d
--- /dev/null
+++ b/devices/hololens/hololens-setup.md
@@ -0,0 +1,43 @@
+---
+title: Set up HoloLens (HoloLens)
+description: The first time you set up HoloLens, you'll need a Wi-Fi network and either a Microsoft or Azure Active Directory account.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Set up HoloLens
+
+Before you get started setting up your HoloLens, make sure you have a Wi-Fi network and a Microsoft account or an Azure Active Directory (Azure AD) account.
+
+## Network connectivity requirements
+
+The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated.
+
+- It can be an open Wi-Fi or password-protected Wi-Fi network.
+- The Wi-Fi network cannot require you to navigate to a webpage to connect.
+- The Wi-Fi network cannot require certificates to connect.
+- The Wi-Fi network does not need to provide access to enterprise resources or intranet sites.
+
+## HoloLens setup
+
+The HoloLens setup process combines a quick tutorial on using HoloLens with the steps needed to connect to the network and add an account.
+
+1. Be sure your HoloLens is [charged](https://support.microsoft.com/help/12627), then [adjust it](https://support.microsoft.com/help/12632) for a comfortable fit.
+2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens.
+3. Next, you'll be guided through connecting to a Wi-Fi network.
+4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**.
+ - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+ 1. Enter your organizational account.
+ 2. Accept privacy statement.
+ 3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page.
+ 4. Continue with device setup.
+ - When you choose **I own it**, you sign in with a Microsoft account. After setup is complete, you can [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+ 1. Enter your Microsoft account.
+ 2. Enter your password. If your Microsoft account requires [two-step verification (2FA)](https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/), complete the verification process.
+5. The device sets your time zone based on information obtained from the Wi-Fi network.
+6. Next, you learn how to perform the bloom gesture and how to select and place the Start screen. After you place the Start screen, setup is complete and you can begin using HoloLens.
+
+
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
new file mode 100644
index 0000000000..ab3a5920df
--- /dev/null
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -0,0 +1,136 @@
+---
+title: Upgrade to Windows Holographic Enterprise (HoloLens)
+description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Upgrade to Windows Holographic Enterprise
+
+Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
+
+When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Enterprise. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
+
+>[!TIP]
+>You can tell that the HoloLens has been upgraded to the Enterprise edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic Enterprise.
+
+
+
+## Edition upgrade using MDM
+
+The enterprise license can be applied by any MDM provider that supports the [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904983.aspx). The latest version of the Microsoft MDM API will support WindowsLicensing CSP.
+
+
+**Overview**
+
+1. Set up the edition upgrade policy.
+2. Deploy the policy.
+3. [Enroll the device through the Settings app](hololens-enroll-mdm.md).
+
+The procedures in this topic use Microsoft Intune as an example. On other MDM providers, the specific steps for setting up and deploying the policy might vary.
+
+### Set up the Edition Upgrade policy
+
+1. Sign into the Intune Dashboard with your Intune admin account.
+
+2. In the **Policy** workspace, select **Configuration Policies** and then **Add**.
+
+ 
+
+3. In **Create a new policy**, select the **Edition Upgrade Policy (Windows 10 Holographic and later** template, and click **Create Policy**.
+
+ 
+
+4. Enter a name for the policy.
+
+5. In the **Edition Upgrade** section, in **License File**, browse to and select the XML license file that was provided when you purchased the Commercial Suite.
+
+ 
+
+5. Click **Save Policy**.
+
+
+
+### Deploy the Edition Upgrade policy
+
+Next, you will assign the Edition Upgrade policy to selected groups.
+
+1. In the **Policy** workspace, select the Edition upgrade policy that you created, and then choose **Manage Deployment**.
+
+2. In the **Manage Deployment** dialog box, select one or more groups to which you want to deploy the policy, and then choose **Add** > **OK**.
+
+When these users enroll their devices in MDM, the Edition Upgrade policy will be applied.
+
+
+For more information about groups, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune).
+
+## Edition upgrade using a provisioning package
+
+Provisioning packages are files created by the Windows Imaging and Configuration Designer (ICD) tool that apply a specified configuration to a device.
+
+### Create a provisioning package that upgrades the Windows Holographic edition
+
+1. [Create a provisioning package for HoloLens.](hololens-provisioning.md#create-a-provisioning-package-for-hololens)
+
+2. Go to **Runtime settings** > **EditionUpgrade**, and select **EditionUpgradeWithLicense**.
+
+ 
+
+2. Browse to and select the XML license file that was provided when you purchased the Commercial Suite.
+
+ >[!NOTE]
+ >You can configure [additional settings in the provisioning package](hololens-provisioning.md).
+
+3. On the **File** menu, click **Save**.
+
+4. Read the warning that project files may contain sensitive information, and click **OK**.
+
+ >[!IMPORTANT]
+ >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+
+5. Set a value for **Package Version**.
+
+ >[!TIP]
+ >You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. On the **Select security details for the provisioning package**, click **Next**.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+
+ Optionally, you can click Browse to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+
+10. When the build completes, click **Finish**.
+
+
+### Apply the provisioning package to HoloLens
+
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of OOBE (the first page with the blue box).
+
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
+
+3. HoloLens will show up as a device in File Explorer on the PC.
+
+4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
+
+5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
+
+6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
+
+>[!NOTE]
+>If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+
+
+
diff --git a/devices/hololens/images/adk-install.png b/devices/hololens/images/adk-install.png
new file mode 100644
index 0000000000..c087d3bae5
Binary files /dev/null and b/devices/hololens/images/adk-install.png differ
diff --git a/devices/hololens/images/apps.png b/devices/hololens/images/apps.png
new file mode 100644
index 0000000000..5cb3b7ec8f
Binary files /dev/null and b/devices/hololens/images/apps.png differ
diff --git a/devices/hololens/images/hololens.png b/devices/hololens/images/hololens.png
new file mode 100644
index 0000000000..ce54ae4281
Binary files /dev/null and b/devices/hololens/images/hololens.png differ
diff --git a/devices/hololens/images/icd-settings.png b/devices/hololens/images/icd-settings.png
new file mode 100644
index 0000000000..111b7f38c7
Binary files /dev/null and b/devices/hololens/images/icd-settings.png differ
diff --git a/devices/hololens/images/icd1.PNG b/devices/hololens/images/icd1.PNG
new file mode 100644
index 0000000000..25f905d4fe
Binary files /dev/null and b/devices/hololens/images/icd1.PNG differ
diff --git a/devices/hololens/images/intune1.PNG b/devices/hololens/images/intune1.PNG
new file mode 100644
index 0000000000..c87c58d36a
Binary files /dev/null and b/devices/hololens/images/intune1.PNG differ
diff --git a/devices/hololens/images/intune2.PNG b/devices/hololens/images/intune2.PNG
new file mode 100644
index 0000000000..61ca386c3c
Binary files /dev/null and b/devices/hololens/images/intune2.PNG differ
diff --git a/devices/hololens/images/intune3.png b/devices/hololens/images/intune3.png
new file mode 100644
index 0000000000..39a812a1a7
Binary files /dev/null and b/devices/hololens/images/intune3.png differ
diff --git a/devices/hololens/images/kiosk.png b/devices/hololens/images/kiosk.png
new file mode 100644
index 0000000000..9cc771c779
Binary files /dev/null and b/devices/hololens/images/kiosk.png differ
diff --git a/devices/hololens/images/upgrade-flow.png b/devices/hololens/images/upgrade-flow.png
new file mode 100644
index 0000000000..127c3358f4
Binary files /dev/null and b/devices/hololens/images/upgrade-flow.png differ
diff --git a/devices/hololens/images/uwp-dependencies.PNG b/devices/hololens/images/uwp-dependencies.PNG
new file mode 100644
index 0000000000..4e2563169f
Binary files /dev/null and b/devices/hololens/images/uwp-dependencies.PNG differ
diff --git a/devices/hololens/images/uwp-license.PNG b/devices/hololens/images/uwp-license.PNG
new file mode 100644
index 0000000000..ccb5cf7cf4
Binary files /dev/null and b/devices/hololens/images/uwp-license.PNG differ
diff --git a/devices/hololens/images/windows-device-portal-home-page.png b/devices/hololens/images/windows-device-portal-home-page.png
new file mode 100644
index 0000000000..9604161bcd
Binary files /dev/null and b/devices/hololens/images/windows-device-portal-home-page.png differ
diff --git a/devices/hololens/images/wsfb-private.png b/devices/hololens/images/wsfb-private.png
new file mode 100644
index 0000000000..a71da6b565
Binary files /dev/null and b/devices/hololens/images/wsfb-private.png differ
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 4b581a5c10..401b51e645 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -1,3 +1,39 @@
---
-redirect_url: https://developer.microsoft.com/windows/holographic/commercial_features
+title: Microsoft HoloLens (HoloLens)
+description: HoloLens provides extra features designed for business in the Commercial Suite.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerMS
---
+
+# Microsoft HoloLens
+
+
+
+
Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.
Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic Enterprise when you apply the Enterprise license file to the device.
+
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
+| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
+| [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
+| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
+| [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app |
+| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
+| [Install apps on HoloLens](hololens-install-apps.md) | Use Windows Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens|
+
+
+## Related resources
+
+- [Help for using HoloLens](https://support.microsoft.com/products/hololens)
+
+- [Documentation for Holographic app development](https://developer.microsoft.com/windows/holographic/documentation)
+
+- [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
+
+- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/holographic/release_notes)
\ No newline at end of file
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index bd9ea9ca66..47279ae319 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -35,4 +35,5 @@
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
-### [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
+## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
+## [Change history for Surface Hub](change-history-surface-hub.md)
\ No newline at end of file
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 117e9e7911..a753773f2f 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -14,6 +14,12 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | New |
+
## RELEASE: Windows Anniversary Update for Surface Hub (Windows 10, version 1607)
The topics in this library have been updated for Windows 10, version 1607 (also known as Windows Anniversary Update for Surface Hub). These topics had significant updates for this release:
- [Windows Updates (Surface Hub)](manage-windows-updates-for-surface-hub.md)
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index c32f557d19..3d1a589760 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -233,7 +233,7 @@ Surface Hub is compatible with a range of hardware. Choose the processor and mem
### Graphics adapter
-In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, though the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal, 60Hz video signals are also supported.
+In replacement PC mode, Surface Hub supports any graphics adapter that can produce a DisplayPort signal. You'll improve your experience with a graphics adapter that can match Surface Hub's resolution and refresh rate. For example, the best and recommended replacement PC experience on the Surface Hub is with a 120Hz video signal.
**55" Surface Hubs** - For best experience, use a graphics card capable of 1080p resolution at 120Hz.
@@ -295,7 +295,7 @@ Replacement PC ports on 55" Surface Hub.
PC video
Video input
-
DisplayPort 1.2
+
DP 1.2
Full screen display of 1080p at 120 Hz, plus audio
HDCP compliant
@@ -352,7 +352,7 @@ Replacement PC ports on 84" Surface Hub.
PC video
Video input
-
DisplayPort 1.2 (2x)
+
DP 1.2 (2x)
Full screen display of 2160p at 120 Hz, plus audio
HDCP compliant
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
new file mode 100644
index 0000000000..73557c1f2c
--- /dev/null
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -0,0 +1,169 @@
+---
+title: Differences between Surface Hub and Windows 10 Enterprise
+description: This topic explains the differences between Windows 10 Team and Windows 10 Enterprise.
+keywords: change history
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: isaiahng
+localizationpriority: medium
+---
+
+# Differences between Surface Hub and Windows 10 Enterprise
+
+The Surface Hub operating system, Windows 10 Team, is based on Windows 10 Enterprise, providing rich support for enterprise management, security, and other features. However, there are important differences between them. While the Enterprise edition is designed for PCs, Windows 10 Team is designed from the ground up for large screens and meeting rooms. When you evaluate security and management requirements for Surface Hub, it's best to consider it as a new operating system. This article is designed to help highlight the key differences between Windows 10 Team on Surface Hub and Windows 10 Enterprise, and what the differences mean for your organization.
+
+## User interface
+
+### Shell (OS user interface)
+
+The Surface Hub's shell is designed from the ground up to be large screen and touch optimized. It doesn't use the same shell as Windows 10 Enterprise.
+
+*Organization policies that this may affect:* Settings related to controls in the Windows 10 Enterprise shell don't apply for Surface Hub.
+
+### Lock screen and screensaver
+
+Surface Hub doesn't have a lock screen or a screen saver, but it has a similar feature called the welcome screen. The welcome screen shows scheduled meetings from the device account's calendar, and easy entry points to the Surface Hub's top apps - Skype for Business, Whiteboard, and Connect.
+
+*Organization policies that this may affect:* Settings for lock screen, screen timeout, and screen saver don't apply for Surface Hub.
+
+### User logon
+
+Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users.
+
+> [!NOTE]
+> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**.
+
+*Organization policies that this may affect:* Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub.
+
+### Saving and browsing files
+
+Users have access to a limited set of directories on the Surface Hub:
+- Music
+- Videos
+- Documents
+- Pictures
+- Downloads
+
+Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive.
+
+*Organization policies that this may affect:* Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders.
+
+## Applications
+
+### Default applications
+
+With few exceptions, the default Universal Windows Platform (UWP) apps on Surface Hub are also available on Windows 10 PCs.
+
+UWP apps pre-installed on Surface Hub:
+- Alarms & Clock
+- Calculator
+- Connect
+- Excel Mobile
+- Feedback Hub
+- File Explorer*
+- Get Started
+- Maps
+- Microsoft Edge
+- Microsoft Power BI
+- OneDrive
+- Photos
+- PowerPoint Mobile
+- Settings*
+- Skype for Business*
+- Store
+- Whiteboard*
+- Word Mobile
+
+*Apps with an asterisk (*) are unique to Surface Hub*
+
+*Organization policies that this may affect:* Use guidelines for Windows 10 Enterprise to determine the features and network requirements for default apps on the Surface Hub.
+
+### Installing apps, drivers, and services
+
+To help preserve the appliance-like nature of the device, Surface Hub only supports installing Universal Windows Platform (UWP) apps, and does not support installing classic Win32 apps, services and drivers. Furthermore, only admins have access to install UWP apps.
+
+*Organization policies that this may affect:* Employees can only use the apps that have been installed by admins, helping mitigate against unintended use. Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools.
+
+## Security and lockdown
+
+For Surface Hub to be used in communal spaces, such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10.
+
+Surface Hub implements these Windows 10 security features:
+- [UEFI Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview)
+- [User Mode Code Integrity (UMCI) with Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies)
+- [Application restriction policies using AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview)
+- [BitLocker Drive Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview)
+- [Trusted Platform Module (TPM)](https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview)
+- [Windows Defender](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10)
+- [User Account Control (UAC)](https://technet.microsoft.com/itpro/windows/keep-secure/user-account-control-overview) for access to the Settings app
+
+These Surface Hub features provide additional security:
+- Custom UEFI firmware
+- Custom shell and Start menu limits device to meeting functions
+- Custom File Explorer only grants access to files and folders under My Documents
+- Custom Settings app only allows admins to modify device settings
+- Downloading advanced Plug and Play drivers is disabled
+
+*Organization policies that this may affect:* Consider these features when performing your security assessment for Surface Hub.
+
+## Management
+
+### Device settings
+
+Device settings can be configured through the Settings app. The Settings app is customized for Surface Hub, but also contains many familiar settings from Windows 10 Desktop. A User Accounts Control (UAC) prompt appears when opening up the Settings app to verify the admin's credentials, but this does not log in the admin.
+
+*Organization policies that this may affect:* Employees can use the Surface Hub for meetings, but cannot modify any device settings. In addition to lockdown features, this ensures that employees only use the device for meeting functions.
+
+### Administrative features
+
+The administrative features in Windows 10 Enterprise, such as the Microsoft Management Console, Run, Command Prompt, PowerShell, registry editor, event viewer, and task manager are not supported on Surface Hub. The Settings app contains all of the administrative features locally available on Surface Hub.
+
+*Organization policies that this may affect:* Surface Hubs are not managed like traditional PCs. Use MDM to configure settings and OMS to monitor your Surface Hub.
+
+### Remote management and monitoring
+
+Surface Hub supports remote management through mobile device management (MDM), and monitoring through Operations Management Suite (OMS).
+
+*Organization policies that this may affect:* Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools, such as System Center Operations Manager.
+
+### Group policy
+
+Surface Hub does not support group policy, including auditing. Instead, use MDM to apply policies to your Surface Hub. For more information about MDM, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md).
+
+*Organization policies that this may affect:* Use MDM to manage Surface Hub rather than group policy.
+
+### Remote assistance
+
+Surface Hub does not support remote assistance.
+
+*Organization policies that this may affect:* Policies related to remote assistance don't apply for Surface Hub.
+
+## Network
+
+### Domain join and Azure Active Directory (Azure AD) join
+
+Surface Hub uses domain join and Azure AD join primarily to provide a directory-backed admin group. Users can't log in with a domain account. For more information, see [Admin group management](admin-group-management-for-surface-hub.md).
+
+*Organization policies that this may affect:* Group policies are not applied when a Surface Hub is joined to your domain. Policies related to domain membership don't apply for Surface Hub.
+
+### Accessing domain resources
+
+Users can sign in to Microsoft Edge to access intranet sites and online resources (such as Office 365). If your Surface Hub is configured with a device account, the system uses it to access Exchange and Skype for Business. However, Surface Hub doesn't support accessing domain resources such as file shares and printers.
+
+*Organization policies that this may affect:* Policies related to accessing domain objects don't apply for Surface Hub.
+
+
+
+### Telemetry
+
+The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization).
+
+*Organization policies that this may affect:* Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise.
\ No newline at end of file
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index d3ac315e96..43cc104e63 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -425,7 +425,7 @@ This page will attempt to create a new admin account using the credentials that
In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.
-1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus).
+1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#use-windows-server-update-services).
2. Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**.
3. If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
4. Follow the onscreen prompts after the updates are installed. You may need to restart the device.
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 4fd03e659e..798952d528 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -12,7 +12,7 @@ localizationpriority: medium
---
# Hybrid deployment (Surface Hub)
-A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
+A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#exchange-on-prem), and [Exchange hosted online](#exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
## Exchange on-prem
Use this procedure if you use Exchange on-prem.
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index 8c84d59605..ddbbfb4fab 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -34,5 +34,7 @@ Documents related to the Microsoft Surface Hub.
This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
+
[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.
+
[Change history for Surface Hub](change-history-surface-hub.md)
This topic lists new and updated topis in the Surface Hub documentation.
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 67ea8b50ad..e41075f908 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -92,9 +92,9 @@ Once you've determined deployment rings for your Surface Hubs, configure update
> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
-## Use Windows Server Update Services (WSUS)
+## Use Windows Server Update Services
-You can connect Surface Hub to your WSUS server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
+You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
**To manually connect a Surface Hub to a WSUS server:**
1. Open **Settings** on your Surface Hub.
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index a7304bb73f..853813a012 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -57,17 +57,17 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
```PowerShell
- Set-Mailbox $acctUpn -Type Regular
- Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy.Id
- Set-Mailbox $acctUpn -Type Room
- Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+ Set-Mailbox 'HUB01@contoso.com' -Type Regular
+ Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
+ Set-Mailbox 'HUB01@contoso.com' -Type Room
+ Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) -EnableRoomMailboxAccount $true
```
4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
```PowerShell
- Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
- Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+ Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+ Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Connect to Azure AD.
@@ -81,7 +81,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
```PowerShell
- Set-MsolUser -UserPrincipalName $acctUpn -PasswordNeverExpires $true
+ Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
```
7. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
@@ -91,9 +91,9 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
```PowerShell
- Set-MsolUser -UserPrincipalName $acctUpn -UsageLocation "US"
+ Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
Get-MsolAccountSku
- Set-MsolUserLicense -UserPrincipalName $acctUpn -AddLicenses $strLicense
+ Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
```
8. Enable the device account with Skype for Business.
@@ -118,14 +118,14 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
```PowerShell
- Enable-CsMeetingRoom -Identity $rm -RegistrarPool
+ Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool
"sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
```PowerShell
- Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
+ Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool*
```
9. Assign Skype for Business license to your Surface Hub account.
diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md
index 275dd6a33b..4786082d45 100644
--- a/devices/surface-hub/surface-hub-administrators-guide.md
+++ b/devices/surface-hub/surface-hub-administrators-guide.md
@@ -16,7 +16,7 @@ localizationpriority: medium
This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
-Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
+Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
## In this section
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index c2eea7a99c..ee3fbbd2b8 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -21,6 +21,7 @@
## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
+### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Change history for Surface documentation](change-history-for-surface.md)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index 6caa1ce23a..359032994a 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -21,7 +21,7 @@ To address more granular control over the security of Surface devices, the v3.11
## Manually install the UEFI update
-Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows]( https://go.microsoft.com/fwlink/p/?LinkID=618030).
+Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows](https://support.microsoft.com/en-us/kb/306525).
To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
@@ -56,7 +56,7 @@ As an IT professional with administrative privileges, you can automate the confi
- The sample scripts below leverage the previously mentioned extension and therefore assume that the tool has been installed on the device being managed.
- The scripts must be run with administrative privilege.
-- The Windows PowerShell command [**Set-ExecutionPolicy Unrestricted**](https://go.microsoft.com/fwlink/p/?LinkID=618039) must be called prior to running sample scripts if they are not digitally signed.
+- The Windows PowerShell command [**Set-ExecutionPolicy Unrestricted**](https://technet.microsoft.com/library/ee176961.aspx) must be called prior to running sample scripts if they are not digitally signed.
**Sample scripts**
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index dd716e83f7..3297316928 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -11,6 +11,14 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
+## November 2016
+
+|New or changed topic | Description |
+| --- | --- |
+|[Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) | New |
+
+
+
## October 2016
| New or changed topic | Description |
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 447e377d2c..caf7719cc4 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -22,12 +22,12 @@ Although the deployment and management of Surface devices is fundamentally the s
## Updating Surface device drivers and firmware
-For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/packages-and-programs).
+As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
>[!NOTE]
->Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/en-us/kb/3025419).
+>Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
## Surface Ethernet adapters and Configuration Manager deployment
@@ -47,11 +47,11 @@ For versions of Windows prior to Windows 10, version 1511 (including Windows 10
## Deploy Surface app with Configuration Manager
-With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
## Use prestaged media with Surface clients
-If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/en-us/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
+If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
@@ -61,16 +61,16 @@ Surface devices come preinstalled with a licensed copy of Windows. For example,
When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services (KMS) or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
-However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/en-us/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
+However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
## Apply an asset tag during deployment
Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
-To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/en-us/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
## Configure push-button reset
When you deploy Windows to a Surface device, the push-button reset functionality of Windows is configured by default to revert the system back to a state where the environment is not yet configured. When the reset function is used, the system discards any installed applications and settings. Although in some situations it can be beneficial to restore the system to a state without applications and settings, in a professional environment this effectively renders the system unusable to the end user.
-Push-button reset can be configured, however, to restore the system configuration to a state where it is ready for use by the end user. Follow the process outlined in [Deploy push-button reset features](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/deploy-push-button-reset-features) to customize the push-button reset experience for your devices.
+Push-button reset can be configured, however, to restore the system configuration to a state where it is ready for use by the end user. Follow the process outlined in [Deploy push-button reset features](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/deploy-push-button-reset-features) to customize the push-button reset experience for your devices.
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index 8532617b50..df861406ec 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -22,7 +22,7 @@ It is common practice in a Windows deployment to customize the user experience f
In some scenarios, you may want to provide complete automation to ensure that at the end of a deployment, computers are ready for use without any interaction from the user. In other scenarios, you may want to leave key elements of the experience for users to perform necessary actions or select between important choices. For administrators deploying to Surface devices, each of these scenarios presents a unique challenge to overcome.
-This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://go.microsoft.com/fwlink/p/?LinkID=618042).
+This article provides a summary of the scenarios where a deployment might require additional steps. It also provides the required information to ensure that the desired experience is achieved on any newly deployed Surface device. This article is intended for administrators who are familiar with the deployment process, as well as concepts such as answer files and [reference images](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image).
>**Note:** Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit)
@@ -36,7 +36,7 @@ This article provides a summary of the scenarios where a deployment might requir
When a wireless network adapter is present during OOBE, the **Join a wireless network** page is displayed, which prompts a user to connect to a wireless network. This page is not automatically hidden by deployment technologies, including MDT 2013, and therefore will be displayed even when a deployment is configured for complete automation.
-To ensure that an automated deployment is not stopped by this page, the page must be hidden by configuring an additional setting in the answer file, **HideWirelessSetupInOOBE**. You can find additional information about the **HideWirelessSetupInOOBE** setting in [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkID=618044).
+To ensure that an automated deployment is not stopped by this page, the page must be hidden by configuring an additional setting in the answer file, **HideWirelessSetupInOOBE**. You can find additional information about the **HideWirelessSetupInOOBE** setting in [Unattended Windows Setup Reference](https://technet.microsoft.com/library/ff716213.aspx).
## Scenario 2: Surface Pen pairing in OOBE
@@ -54,7 +54,7 @@ To provide the factory Surface Pen pairing experience in OOBE, you must copy fou
-The step-by-step process for adding these required files to an image is described in [Deploying Surface Pro 3 Pen and OneNote Tips](https://go.microsoft.com/fwlink/p/?LinkID=618045). This blog post also includes tips to ensure that the necessary updates for the Surface Pen Quick Note-Taking Experience are installed, which allows users to send notes to OneNote with a single click.
+The step-by-step process for adding these required files to an image is described in [Deploying Surface Pro 3 Pen and OneNote Tips](https://blogs.technet.microsoft.com/askcore/2014/07/15/deploying-surface-pro-3-pen-and-onenote-tips/). This blog post also includes tips to ensure that the necessary updates for the Surface Pen Quick Note-Taking Experience are installed, which allows users to send notes to OneNote with a single click.
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 4c35222e31..6183f55206 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -27,13 +27,13 @@ If your organization is preparing images that will be deployed to your Surface d
####Surface app overview
-The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/en-us/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Windows Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Windows Store for Business, see [Windows Store for Business](https://technet.microsoft.com/en-us/windows/store-for-business) in the Windows TechCenter.
+The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Windows Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Windows Store for Business, see [Windows Store for Business](https://technet.microsoft.com/windows/store-for-business) in the Windows TechCenter.
##Add Surface app to a Windows Store for Business account
Before users can install or deploy an app from a company’s Windows Store for Business account, the desired app(s) must first be made available and licensed to the users of a business.
-1. If you have not already done so, create a [Windows Store for Business account](https://www.microsoft.com/en-us/business-store).
+1. If you have not already done so, create a [Windows Store for Business account](https://www.microsoft.com/business-store).
2. Log on to the portal.
@@ -91,7 +91,7 @@ To download the required frameworks for the Surface app, follow these steps:
##Install Surface app on your computer with PowerShell
The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
-1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#how-to-download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
+1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
2. Begin an elevated PowerShell session.
>**Note:** If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app.
3. In the elevated PowerShell session, copy and paste the following command:
@@ -119,7 +119,7 @@ Before the Surface app is functional on the computer where it has been provision
##Install Surface app with MDT
The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
-1. Using the procedure described [earlier in this article](#how-to-download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file.
+1. Using the procedure described [earlier in this article](#download-surface-app-from-a-windows-store-for-business-account), download the Surface app AppxBundle and license file.
2. Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
3. On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:
@@ -144,4 +144,4 @@ After import, the Surface app will be available for selection in the **Applicati
2. Add a new **Install Application** task in the **State Restore** section of deployment.
3. Select **Install a single application** and specify the **Surface App** as the **Application to be installed**.
-For more information about including apps into your Windows deployments, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit).
+For more information about including apps into your Windows deployments, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit).
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 2df6fdcd7f..8a5ff4b34e 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -33,14 +33,14 @@ Installation files for administrative tools, drivers for accessories, and update
Recent additions to the downloads for Surface devices provide you with options to install Windows 10 on your Surface devices and update LTE devices with the latest Windows 10 drivers and firmware.
->**Note:** A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information.
+>**Note:** A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://support.microsoft.com/en-us/kb/2909710) for more information.
## Surface Book
-Download the following updates [for Surface Book from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=691691).
+Download the following updates [for Surface Book from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49497).
- SurfaceBook\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
@@ -49,7 +49,7 @@ Download the following updates [for Surface Book from the Microsoft Download Cen
## Surface Pro 4
-Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=691692).
+Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49498).
- SurfacePro4\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
@@ -58,7 +58,7 @@ Download the following updates for [Surface Pro 4 from the Microsoft Download Ce
## Surface Pro 3
-Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690288).
+Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=38826).
- SurfacePro3\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10
@@ -85,7 +85,7 @@ Download the following updates [for Surface Pro 3 from the Microsoft Download Ce
## Surface 3
-Download the following updates [for Surface 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690289).
+Download the following updates [for Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49040).
- Surface3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
@@ -102,7 +102,7 @@ Download the following updates [for Surface 3 from the Microsoft Download Center
## Surface 3 LTE
-Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690290).
+Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49039).
- Surface3\_US1\_Win10\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10
@@ -118,7 +118,7 @@ Download the following updates [for AT&T 4G LTE versions of Surface 3 from the M
- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
-Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690291).
+Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49037).
- Surface3\_NAG\_Win10\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10
@@ -134,7 +134,7 @@ Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from t
- Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1
-Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690292).
+Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49041).
- Surface3\_ROW\_Win10\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10
@@ -153,7 +153,7 @@ Download the following updates [for 4G LTE Surface 3 versions for regions outsid
## Surface Pro 2
-Download the following updates [for Surface Pro 2 from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690293).
+Download the following updates [for Surface Pro 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49042).
- SurfacePro2\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
@@ -168,7 +168,7 @@ Download the following updates [for Surface Pro 2 from the Microsoft Download Ce
## Surface Pro
-Download the following updates [for Surface Pro from the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=690294).
+Download the following updates [for Surface Pro from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49038).
- SurfacePro\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10
@@ -185,7 +185,7 @@ Download the following updates [for Surface Pro from the Microsoft Download Cent
There are no downloadable firmware or driver updates available for Surface RT. Updates can only be applied using Windows Update.
-If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://go.microsoft.com/fwlink/p/?LinkId=618107).
+If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index a29f37c0ef..f16b7e5abd 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -29,31 +29,31 @@ By automating each aspect of the deployment process, you not only greatly decrea
## Deployment tools
-The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/windows.aspx).
+The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/download/windows.aspx).
#### Microsoft Deployment Toolkit
The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*.
-You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741).
+You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741).
#### Windows Assessment and Deployment Kit
Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data.
-You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk).
+You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk).
#### Windows 10 installation media
Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
->**Note:** The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
+>**Note:** The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
#### Windows Server
Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
->**Note:** To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
+>**Note:** To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter).
#### Windows Deployment Services
@@ -67,13 +67,13 @@ The process of creating a reference image should always be performed in a virtua
Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
->**Note:** Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
+>**Note:** Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
#### Surface firmware and drivers
For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates).
+When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates).
In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process.
@@ -88,7 +88,7 @@ In addition to the drivers that are used by Windows to communicate with the Surf
#### Microsoft Surface Deployment Accelerator
-If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
### Install the deployment tools
@@ -120,7 +120,7 @@ Using the Windows Deployment Services Configuration Wizard, configure WDS to fit
#### Install Windows Assessment and Deployment Kit
-To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
+To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
>**Note:** You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
@@ -409,7 +409,7 @@ Now that your updated reference image is imported, it is time to prepare your de
Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
+Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
@@ -445,7 +445,7 @@ To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow
### Import applications
-You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
+You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
#### Import Microsoft Office 365 Installer
@@ -499,9 +499,9 @@ Now that the installation and configuration files are prepared, the application
#### Import Surface app installer
-The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/en-us/support/apps-and-windows-store/surface-app?os=windows-10).
+The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
-To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
```
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index dfda75ad0f..5013bcb538 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -16,14 +16,14 @@ author: miladCA
Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
-If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](https://go.microsoft.com/fwlink/p/?LinkId=716899).
+If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see [Extensible Authentication Protocol](https://technet.microsoft.com/network/bb643147).
You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
## Download PEAP, EAP-FAST, or Cisco LEAP installation files
-You can download the MSI installation files for PEAP, EAP-FAST, or Cisco LEAP in a single zip archive file from the Microsoft Download Center. To download this file, go to the [Surface Tools for IT](https://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center, click **Download**, and then select the **Cisco EAP-Supplicant Installer.zip** file.
+You can download the MSI installation files for PEAP, EAP-FAST, or Cisco LEAP in a single zip archive file from the Microsoft Download Center. To download this file, go to the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page on the Microsoft Download Center, click **Download**, and then select the **Cisco EAP-Supplicant Installer.zip** file.
## Deploy PEAP, EAP-FAST, or Cisco LEAP with MDT
@@ -79,7 +79,7 @@ To specify the protocol(s) explicitly, follow these steps:
For organizations that manage Surface devices with Configuration Manager, it is even easier to deploy PEAP, EAP-FAST, or Cisco LEAP support to Surface devices. Simply import each MSI file as an application from the Software Library and configure a deployment to your Surface device collection.
-For more information on how to deploy applications with Configuration Manager see [How to Create Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=761079) and [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=761080).
+For more information on how to deploy applications with Configuration Manager see [How to Create Applications in Configuration Manager](https://technet.microsoft.com/library/gg682159.aspx) and [How to Deploy Applications in Configuration Manager](https://technet.microsoft.com/library/gg682082.aspx).
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
index 08696c682d..1140eb46c7 100644
--- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -13,17 +13,17 @@ author: jobotto
With Microsoft Surface Enterprise Management Mode (SEMM), you can securely configure the settings of Surface UEFI on a Surface device and manage those settings on Surface devices in your organization. When a Surface device is managed by SEMM, that device is considered to be *enrolled* (sometimes referred to as activated). This article shows you how to create a Surface UEFI configuration package that will not only control the settings of Surface UEFI, but will also enroll a Surface device in SEMM.
-For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode).
#### Download and install Microsoft Surface UEFI Configurator
-The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
Run the Microsoft Surface UEFI Configurator Windows Installer (.msi) file to start the installation of the tool. When the installer completes, find Microsoft Surface UEFI Configurator in the All Apps section of your Start menu.
>**Note**: Microsoft Surface UEFI Configurator is supported only on Windows 10.
## Create a Surface UEFI configuration package
-The Surface UEFI configuration package performs both the role of applying a new configuration of Surface UEFI settings to a Surface device managed with SEMM and the role of enrolling Surface devices in SEMM. The creation of a configuration package requires you to have a signing certificate to be used with SEMM to secure the configuration of UEFI settings on each Surface device. For more information about the requirements for the SEMM certificate, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+The Surface UEFI configuration package performs both the role of applying a new configuration of Surface UEFI settings to a Surface device managed with SEMM and the role of enrolling Surface devices in SEMM. The creation of a configuration package requires you to have a signing certificate to be used with SEMM to secure the configuration of UEFI settings on each Surface device. For more information about the requirements for the SEMM certificate, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode).
To create a Surface UEFI configuration package, follow these steps:
@@ -58,7 +58,7 @@ To create a Surface UEFI configuration package, follow these steps:
*Figure 4. Disable or enable individual Surface components*
11. Click **Next**.
-12. To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
+12. To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 1babe7d7c6..78b995935a 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -25,7 +25,7 @@ Before you can address the concerns of how you will boot to your deployment envi
The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using System Center Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
-Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://go.microsoft.com/fwlink/p/?LinkId=722364) use a chipset that is compatible with the Surface firmware.
+Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
The following Ethernet devices are supported for network boot with Surface devices:
@@ -67,7 +67,7 @@ Another consideration for administrators performing Windows deployment over the
The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks.
-Another potential solution to avoid conflict when adapters are shared is to use the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) to perform deployment to Surface devices. MDT does not use the MAC address to identify individual computers and thus is not subject to this limitation. However, MDT does use Windows Deployment Services to provide PXE boot functionality, and is subject to the limitations regarding pre-staged clients which is covered later in this section.
+Another potential solution to avoid conflict when adapters are shared is to use the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741) to perform deployment to Surface devices. MDT does not use the MAC address to identify individual computers and thus is not subject to this limitation. However, MDT does use Windows Deployment Services to provide PXE boot functionality, and is subject to the limitations regarding pre-staged clients which is covered later in this section.
When you use a shared adapter for deployment, the solution for affected deployment technologies is to use another means to identify unique systems. For Configuration Manager and WDS, both of which can be affected by this issue, the solution is to use the System Universal Unique Identifier (System UUID) that is embedded in the computer firmware by the computer manufacturer. For Surface devices, you can see this entry in the computer firmware under **Device Information**.
@@ -78,9 +78,9 @@ To access the firmware of a Surface device, follow these steps:
3. Press and release the **Power** button.
4. After the device begins to boot, release the **Volume Up** button.
-When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://go.microsoft.com/fwlink/p/?LinkId=618118). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://go.microsoft.com/fwlink/p/?LinkId=618119) in **Windows Deployment Server Properties**.
+When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**.
-The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://go.microsoft.com/fwlink/p/?LinkId=618120) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
+The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
diff --git a/devices/surface/images/config-mgr-semm-fig1.png b/devices/surface/images/config-mgr-semm-fig1.png
new file mode 100644
index 0000000000..7ff888c2e2
Binary files /dev/null and b/devices/surface/images/config-mgr-semm-fig1.png differ
diff --git a/devices/surface/images/config-mgr-semm-fig2.png b/devices/surface/images/config-mgr-semm-fig2.png
new file mode 100644
index 0000000000..33836c09eb
Binary files /dev/null and b/devices/surface/images/config-mgr-semm-fig2.png differ
diff --git a/devices/surface/images/config-mgr-semm-fig3.png b/devices/surface/images/config-mgr-semm-fig3.png
new file mode 100644
index 0000000000..c844b60531
Binary files /dev/null and b/devices/surface/images/config-mgr-semm-fig3.png differ
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index f2d71be1b0..1335d5a808 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -22,7 +22,7 @@ Like the firmware for Surface devices, firmware for Surface Dock is also contain
>**Note:** You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links:
- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics
-- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog
+- [Windows Update Makes Surface Better](https://blogs.windows.com/devices/2014/04/15/windows-update-makes-surface-better/#0MqzmYgshCDaJpvK.97) on the Microsoft Devices Blog
@@ -79,7 +79,7 @@ Windows Update is the method that most users will use. The drivers for the Surfa
This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method.
-For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=785355).
+For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application).
>**Note:** When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
**HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
@@ -103,7 +103,7 @@ Firmware status is displayed for both the main chipset (displayed as **Component
The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock.
-For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://go.microsoft.com/fwlink/p/?LinkId=618121) on the Microsoft Download Center.
+For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center.
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index 521f6e38a2..eb0fea2fee 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -31,26 +31,26 @@ The simplest solution to ensure that firmware on Surface devices in your organiz
Although this solution ensures that firmware will be updated as new releases are made available to Windows Update, it does present potential drawbacks. Each Surface device that receives Windows Updates directly will separately download each update rather than accessing a central location, which increases demand on Internet connectivity and bandwidth. Updates are also provided automatically to devices, without being subjected to testing or review by administrators.
-For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 5: Configure Group Policy Settings for Automatic Updates](https://go.microsoft.com/fwlink/p/?LinkId=618172).
+For details about Group Policy for client configuration of WSUS or Windows Update, see [Step 5: Configure Group Policy Settings for Automatic Updates](https://technet.microsoft.com/library/dn595129).
**Windows Installer Package**
-The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](https://go.microsoft.com/fwlink/p/?LinkId=618173) blog post.
+The firmware and driver downloads for Surface devices now include Windows Installer files for firmware and driver updates. These Windows Installer packages can be deployed with utilities that support application deployment, including the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. This solution allows for centralized deployment and for administrators to test and review firmware updates before they are deployed. For more information about the Windows Installer package delivery method for firmware and driver updates, including details on what drivers are updated by the package and why certain drivers and firmware are not updated by the Windows Installer package, see the [Surface Pro 3 MSI Now Available](https://blogs.technet.microsoft.com/surface/2015/03/04/surface-pro-3-msi-now-available/) blog post.
-For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618175). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](https://go.microsoft.com/fwlink/p/?LinkId=618176). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
+For instructions on how to deploy with System Center Configuration Manager, refer to [How to Deploy Applications in Configuration Manager](https://technet.microsoft.com/library/gg682082). For deployment of applications with MDT, see [Step 4: Add an application in the Deploy a Windows 8.1 Image Using MDT 2013](https://technet.microsoft.com/library/dn744279#sec04). Note that you can deploy applications separately from an operating system deployment through MDT by using a Post OS Installation task sequence.
**Provisioning packages**
-New in Windows 10, provisioning packages (PPKG files) provide a simple method to apply a configuration to a destination device. You can find out more about provisioning packages, including instructions for how to create your own, in [Provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=761075). For easy application of a complete set of drivers and firmware to devices running Windows 10, a provisioning package is supplied for Surface Pro 3 devices. This file contains all of the instructions and required assets to update a Surface Pro 3 device with Windows 10 to the latest drivers and firmware.
+New in Windows 10, provisioning packages (PPKG files) provide a simple method to apply a configuration to a destination device. You can find out more about provisioning packages, including instructions for how to create your own, in [Provisioning packages](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). For easy application of a complete set of drivers and firmware to devices running Windows 10, a provisioning package is supplied for Surface Pro 3 devices. This file contains all of the instructions and required assets to update a Surface Pro 3 device with Windows 10 to the latest drivers and firmware.
**Windows PowerShell**
-Another method you can use to update the firmware when Windows Updates are managed in the organization is to install the firmware from the firmware and driver pack by using PowerShell. This method allows for a similar deployment experience to the Windows Installer package and can similarly be deployed as a package by using System Center Configuration Manager. You can find the PowerShell script and details on how to perform the firmware deployment in the [Deploying Drivers and Firmware to Surface Pro](https://go.microsoft.com/fwlink/p/?LinkId=618177) blog post.
+Another method you can use to update the firmware when Windows Updates are managed in the organization is to install the firmware from the firmware and driver pack by using PowerShell. This method allows for a similar deployment experience to the Windows Installer package and can similarly be deployed as a package by using System Center Configuration Manager. You can find the PowerShell script and details on how to perform the firmware deployment in the [Deploying Drivers and Firmware to Surface Pro](https://blogs.technet.microsoft.com/deploymentguys/2013/05/16/deploying-drivers-and-firmware-to-surface-pro/) blog post.
## Operating system deployment considerations
-The deployment of firmware updates during an operating system deployment is a straightforward process. The firmware and driver pack can be imported into either System Center Configuration Manager or MDT, and are used to deploy a fully updated environment, complete with firmware, to a target Surface device. For a complete step-by-step guide for deployment to Surface Pro 3 using either Configuration Manager or MDT, download the [Deployment and Administration Guide for Surface Pro 3](https://go.microsoft.com/fwlink/p/?LinkId=618178) from the Microsoft Download Center.
+The deployment of firmware updates during an operating system deployment is a straightforward process. The firmware and driver pack can be imported into either System Center Configuration Manager or MDT, and are used to deploy a fully updated environment, complete with firmware, to a target Surface device. For a complete step-by-step guide for deployment to Surface Pro 3 using either Configuration Manager or MDT, download the [Deployment and Administration Guide for Surface Pro 3](https://www.microsoft.com/download/details.aspx?id=45292) from the Microsoft Download Center.
The individual driver files are also made available in the Microsoft Download Center if you are using deployment tools. The driver files are available in the ZIP archive file in the list of available downloads for your device.
@@ -60,7 +60,7 @@ A best practice for deployment with any solution that uses the Windows Preinstal
**Update Surface Pro 3 firmware offline through USB**
-In some early versions of Surface Pro 3 firmware, PXE boot performance can be quite slow. This has been resolved with updated firmware, but for organizations where firmware will be updated through operating system deployment, this issue is encountered before the updates can be deployed to the device. In this scenario, you can deploy updated firmware through a USB drive to ensure that when the operating system deployment is initiated, the network boot is quick, and deployment can complete in a timely fashion. To create a USB drive to update Surface Pro 3 firmware, see [How to Update the Surface Pro 3 Firmware Offline using a USB Drive](https://go.microsoft.com/fwlink/p/?LinkId=618189) on the Ask Premier Field Engineering (PFE) Platforms TechNet Blog.
+In some early versions of Surface Pro 3 firmware, PXE boot performance can be quite slow. This has been resolved with updated firmware, but for organizations where firmware will be updated through operating system deployment, this issue is encountered before the updates can be deployed to the device. In this scenario, you can deploy updated firmware through a USB drive to ensure that when the operating system deployment is initiated, the network boot is quick, and deployment can complete in a timely fashion. To create a USB drive to update Surface Pro 3 firmware, see [How to Update the Surface Pro 3 Firmware Offline using a USB Drive](https://blogs.technet.microsoft.com/askpfeplat/2014/10/19/how-to-update-the-surface-pro-3-firmware-offline-using-a-usb-drive/) on the Ask Premier Field Engineering (PFE) Platforms TechNet Blog.
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index d885af5dd9..b1f6626197 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -16,7 +16,7 @@ author: miladCA
Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
-[Microsoft Surface Data Eraser](https://go.microsoft.com/fwlink/p/?LinkId=691148) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://go.microsoft.com/fwlink/p/?LinkId=691222).
+[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
Compatible Surface devices include:
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 9c4d792a9d..4358e9b005 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -20,13 +20,13 @@ SDA includes a wizard that automates the creation and configuration of a Microso
SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
-You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=691693).
+You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](https://technet.microsoft.com/windows/dn913725).
**Download Microsoft Surface Deployment Accelerator**
You can download the installation files for SDA from the Microsoft Download Center. To download the installation files:
-1. Go to the [Surface Tools for IT](https://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center.
+1. Go to the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page on the Microsoft Download Center.
2. Click the **Download** button, select the **Surface\_Deployment\_Accelerator\_xxxx.msi** file, and then click **Next**.
@@ -60,7 +60,7 @@ As you progress through the SDA wizard, you will be asked some basic questions a
When the SDA completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the SDA wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
-You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](https://go.microsoft.com/fwlink/p/?linkid=691700), or to [pause the automated installation routine](https://go.microsoft.com/fwlink/p/?linkid=691701). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
+You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt#sec04), or to [pause the automated installation routine](https://blogs.technet.microsoft.com/mniehaus/2009/06/26/mdt-2010-new-feature-3-suspend-and-resume-a-lite-touch-task-sequence/). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
>**Note:** With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 2024ee1ca9..914ae3a4d1 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -21,7 +21,7 @@ This article shows you how to install Microsoft Surface Deployment Accelerator (
For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md).
-1. Download SDA, which is included in [Surface Tools for IT](https://go.microsoft.com/fwlink/p/?LinkId=618121) on the Microsoft Download Center.
+1. Download SDA, which is included in [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center.
2. Run the SDA installation file, named **Surface\_Deployment\_Accelerator\_*xxxx*.msi**, where *xxxx* is the current version number.
@@ -77,7 +77,7 @@ The following steps show you how to create a deployment share for Windows 10 th
- **Windows 10 Deployment Services**
- - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://go.microsoft.com/fwlink/p/?LinkId=761072) for more information about how to configure Windows Deployment Services for PXE boot.
+ - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
- **Windows 10 Source Files**
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
index fcf3eb8f6b..ee50c340e7 100644
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -16,7 +16,7 @@ author: miladCA
Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
-The [Microsoft Surface Diagnostic Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618121) is a small, portable diagnostic tool that runs through a suite of tests to diagnose the hardware of Surface devices. The Microsoft Surface Diagnostic Toolkit executable file is less than 3 MB, which allows it to be distributed through email. It does not require installation, so it can be run directly from a USB stick or over the network. The Microsoft Surface Diagnostic Toolkit walks you through several tests of individual components including the touchscreen, cameras, and sensors.
+The [Microsoft Surface Diagnostic Toolkit](https://www.microsoft.com/download/details.aspx?id=46703) is a small, portable diagnostic tool that runs through a suite of tests to diagnose the hardware of Surface devices. The Microsoft Surface Diagnostic Toolkit executable file is less than 3 MB, which allows it to be distributed through email. It does not require installation, so it can be run directly from a USB stick or over the network. The Microsoft Surface Diagnostic Toolkit walks you through several tests of individual components including the touchscreen, cameras, and sensors.
>**Note:** A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices:
@@ -123,7 +123,7 @@ This test checks for any outstanding Windows updates and will prompt you to inst
#### Device information
-This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](https://go.microsoft.com/fwlink/p/?LinkId=746476) and [System Information](https://go.microsoft.com/fwlink/p/?LinkId=746477), power configuration, disk health, and event logs. See the following list for a full set of collected log files:
+This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](https://support.microsoft.com/en-us/products/windows?os=windows-10) and [System Information](https://technet.microsoft.com/library/cc731397), power configuration, disk health, and event logs. See the following list for a full set of collected log files:
- Output of **Get-WindowsUpdateLog** if the operating system is Windows 10
@@ -350,11 +350,11 @@ The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against
#### Performance Monitor test
-Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](https://go.microsoft.com/fwlink/p/?LinkId=746486) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows.
+Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](https://msdn.microsoft.com/windows/hardware/commercialize/test/wpt/windows-performance-analyzer) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows.
#### Crash dump collection
-If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](https://go.microsoft.com/fwlink/p/?LinkId=746488) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](https://go.microsoft.com/fwlink/p/?LinkId=746489).
+If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](https://msdn.microsoft.com/library/windows/hardware/ff539316) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](https://social.technet.microsoft.com/Forums/home?category=w8itpro).
#### Connected standby text
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 91d4411699..ff07fba283 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -16,7 +16,7 @@ author: jobotto
This article provides a detailed walkthrough of Microsoft Surface Dock Updater.
-The [Microsoft Surface Dock Updater](https://go.microsoft.com/fwlink/p/?LinkId=618121) tool allows you to check the firmware status of a Surface Dock and to manually update the firmware of Surface Dock devices. It is most often used to update Surface Docks prior to deployment of those Surface Docks to end users or as a troubleshooting tool. Microsoft Surface Dock Updater walks you through the process of updating the firmware on one or more Surface Docks, including the required connect and disconnect steps to perform the complete firmware installation.
+The [Microsoft Surface Dock Updater](https://www.microsoft.com/download/details.aspx?id=46703) tool allows you to check the firmware status of a Surface Dock and to manually update the firmware of Surface Dock devices. It is most often used to update Surface Docks prior to deployment of those Surface Docks to end users or as a troubleshooting tool. Microsoft Surface Dock Updater walks you through the process of updating the firmware on one or more Surface Docks, including the required connect and disconnect steps to perform the complete firmware installation.
When you run the Microsoft Surface Dock Updater installer you will be prompted to accept an End User License Agreement (EULA).
@@ -25,7 +25,7 @@ When you run the Microsoft Surface Dock Updater installer you will be prompted t
## Update a Surface Dock with Microsoft Surface Dock Updater
-After you install the [Microsoft Surface Dock Updater](https://go.microsoft.com/fwlink/p/?LinkId=618121) tool, you can find Microsoft Surface Dock Updater under **All Apps** in your Start menu. Click **Microsoft Surface Dock Updater** to start the application.
+After you install the [Microsoft Surface Dock Updater](https://www.microsoft.com/download/details.aspx?id=46703) tool, you can find Microsoft Surface Dock Updater under **All Apps** in your Start menu. Click **Microsoft Surface Dock Updater** to start the application.
To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps:
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 3361d3002c..6632c20987 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -101,7 +101,7 @@ These characters are the last two characters of the certificate thumbprint and s
*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
-To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
+To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
### Reset package
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
index 5e31091376..0c8868a35f 100644
--- a/devices/surface/unenroll-surface-devices-from-semm.md
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -15,7 +15,7 @@ When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM),
>**Warning:** To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
-For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode).
## Unenroll a Surface device from SEMM with a Surface UEFI reset package
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index d44af98e0d..77a3fe6998 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -36,8 +36,8 @@ Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade instal
Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured:
-* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741)
-* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
+* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741)
+* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
* Deployment Image Servicing and Management (DISM)
* Windows Preinstallation Environment (Windows PE)
* Windows System Image Manager (Windows SIM)
@@ -45,8 +45,8 @@ Performing an upgrade deployment of Windows 10 requires the same tools and resou
You will also need to have available the following resources:
* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
- >**Note:** Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
-* [Surface firmware and drivers](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
+ >**Note:** Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
+* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
* Application installation files for any applications you want to install, such as the Surface app
## Prepare the upgrade deployment
@@ -60,7 +60,7 @@ Windows 10 installation files only need to be imported if you have not already d
### Import Surface drivers
In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps:
-1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/en-US/download/details.aspx?id=38826) in the Microsoft Download Center.
+1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/download/details.aspx?id=38826) in the Microsoft Download Center.
2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
@@ -91,7 +91,7 @@ In the import process example shown in the [Deploy Windows 10 to Surface devices
Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
-There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
+There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
### Create the upgrade task sequence
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
new file mode 100644
index 0000000000..f44e7cf414
--- /dev/null
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -0,0 +1,415 @@
+---
+title: Use System Center Configuration Manager to manage devices with SEMM (Surface)
+description: Find out how to use Microsoft Surface UEFI Manager to perform SEMM management with System Center Configuration Manager.
+keywords: enroll, update, scripts, settings
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: KiranDavane
+---
+
+# Use System Center Configuration Manager to manage devices with SEMM
+
+The Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices allows administrators to both manage and secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
+
+For organizations with System Center Configuration Manager, there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
+
+>[!Note]
+>Although the process described in this article may work with earlier versions of System Center Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of System Center Configuration Manager.
+
+#### Prerequisites
+
+Before you begin the process outlined in this article, it is expected that you are familiar with the following technologies and tools:
+
+* [Surface UEFI](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings)
+* [Surface Enterprise Management Mode (SEMM)](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode)
+* [PowerShell scripting](https://technet.microsoft.com/scriptcenter/dd742419)
+* [System Center Configuration Manager application deployment](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications)
+* Certificate management
+
+>[!Note]
+>You will also need access to the certificate that you intend to use to secure SEMM. For details about the requirements for this certificate, see [Surface Enterprise Management Mode certificate requirements](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode#surface-enterprise-management-mode-certificate-requirements).
+
+>It is very important that this certificate be kept in a safe location and properly backed up. If this certificate becomes lost or unusable, it is not possible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled Surface device.
+
+#### Download Microsoft Surface UEFI Manager
+
+Management of SEMM with Configuration Manager requires the installation of Microsoft Surface UEFI Manager on each client Surface device. You can download Microsoft Surface UEFI Manager (SurfaceUEFIManager.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page on the Microsoft Download Center.
+
+#### Download SEMM scripts for Configuration Manager
+
+After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center.
+
+## Deploy Microsoft Surface UEFI Manager
+
+Deployment of Microsoft Surface UEFI Manager is a typical application deployment. The Microsoft Surface UEFI Manager installer file is a standard Windows Installer file that you can install with the [standard quiet option](https://msdn.microsoft.com/library/windows/desktop/aa367988).
+
+The command to install Microsoft Surface UEFI Manager is:
+
+`msiexec /i “SurfaceUEFIManagerSetup.msi” /q`
+
+The command to uninstall Microsoft Surface UEFI Manager is:
+
+`msiexec /x {541DA890-1AEB-446D-B3FD-D5B3BB18F9AF} /q`
+
+To create a new application and deploy it to a collection that contains your Surface devices, perform the following steps:
+
+1. Open Configuration Manager Console from the Start screen or Start menu.
+2. Click **Software Library** in the bottom left corner of the window.
+3. Expand the Application Management node of the Software Library, and then click **Applications**.
+4. Click the **Create Application** button under the **Home** tab at the top of the window. This starts the Create Application Wizard.
+5. The Create Application Wizard presents a series of steps:
+
+ * **General** – The **Automatically detect information about this application from installation files** option is selected by default. In the **Type** field, **Windows Installer (*.msi file)** is also selected by default. Click **Browse** to navigate to and select **SurfaceUEFIManagerSetup.msi**, and then click **Next**.
+
+ >[!Note]
+ >The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that contains no other files. A local file location cannot be used.
+
+ * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Click **Next** to proceed.
+
+
+ 
+
+ *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
+
+ * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Click Next to proceed.
+ * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Click **Next** to confirm your selections and create the application.
+ * **Progress** – Displays a progress bar and status as the application is imported and added to the Software Library.
+ * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+
+After the application is created in Configuration Manager, you can distribute it to your distribution points and deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the Surface device – it only provides the assemblies required for SEMM to be enabled via PowerShell script.
+
+If you do not want to install the Microsoft Surface UEFI Manager assemblies on devices that will not be managed with SEMM, you can configure Microsoft Surface UEFI Manager as a dependency of the SEMM Configuration Manager scripts. This scenario is covered in the [Deploy SEMM Configuration Manager Scripts](#deploy-semm-configuration-manager-scripts) section later in this article.
+
+## Create or modify the SEMM Configuration Manager scripts
+
+After the required assemblies have been installed on the devices, the process of enrolling the devices in SEMM and configuring Surface UEFI is done with PowerShell scripts and deployed as a script application with Configuration Manager. These scripts can be modified to fit the needs of your organization and environment. For example, you can create multiple configurations for managed Surface devices in different departments or roles. You can download samples of the scripts for SEMM and Configuration Manager at the link in the [Prerequisites](#prerequisites) section at the beginning of this article.
+
+There are two primary scripts you will need to perform a SEMM deployment with Configuration Manager:
+
+* **ConfigureSEMM.ps1** – Use this script to create configuration packages for your Surface devices with your desired Surface UEFI settings, to apply the specified settings to a Surface device, to enroll the device in SEMM, and to set a registry key used to identify the enrollment of the device in SEMM.
+* **ResetSEMM.ps1** – Use this script to reset SEMM on a Surface device, which unenrolls it from SEMM and removes the control over Surface UEFI settings.
+
+The sample scripts include examples of how to set Surface UEFI settings and how to control permissions to those settings. These settings can be modified to secure Surface UEFI and set Surface UEFI settings according to the needs of your environment. The following sections of this article explain the ConfigureSEMM.ps1 script and explore the modifications you need to make to the script to fit your requirements.
+
+>[!NOTE]
+>The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder with no other files before they are added to Configuration Manager.
+
+### Specify certificate and package names
+
+The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script:
+
+ ```
+ 56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
+ 57 $packageRoot = "$WorkingDirPath\Config"
+ 58
+ 59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot }
+ 60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot
+ 61
+ 62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx"
+ 63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg"
+ 64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg"
+ 65
+ 66 # If your PFX file requires a password then it can be set here, otherwise use a blank string.
+ 67 $password = "1234"
+ ```
+
+Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
+
+Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
+
+On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
+
+>[!Note]
+>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this:
+
+```
+144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
+145 # For convenience we get the thumbprint here and present to the user.
+146 $pw = ConvertTo-SecureString $password -AsPlainText -Force
+147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
+149 Write-Host "Thumbprint =" $certPrint.Thumbprint
+```
+
+Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
+
+1. Right-click the .pfx file, and then click **Open**.
+2. Expand the folder in the navigation pane.
+3. Click **Certificates**.
+4. Right-click your certificate in the main pane, and then click **Open**.
+5. Click the **Details** tab.
+6. **All** or **Properties Only** must be selected in the **Show** drop-down menu.
+7. Select the field **Thumbprint**.
+
+>[!NOTE]
+>The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable Configuration Manager to remove SEMM from the device with the uninstall action.
+
+### Configure permissions
+
+The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
+
+```
+202 # Configure Permissions
+203 foreach ($uefiV2 IN $surfaceDevices.Values) {
+204 # Here we define which "identities" will be allowed to modify which settings
+205 # PermissionSignerOwner = The primary SEMM enterprise owner identity
+206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI
+207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 =
+208 # Additional user identities created so that the signer owner
+209 # can delegate permission control for some settings.
+210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner
+211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal)
+212
+213 # Make all permissions owner only by default
+214 foreach ($setting IN $uefiV2.Settings.Values) {
+215 $setting.ConfiguredPermissionFlags = $ownerOnly
+216 }
+217 # Allow the local user to change their own password
+218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser
+219
+220 # Allow the local user to change the state of the TPM
+221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser
+222
+223 # Allow the local user to change the state of the Front and Rear cameras
+224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser
+225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser
+226
+227
+228 # Create a unique package name based on family and LSV.
+229 # We will choose a name that can be parsed by later scripts.
+230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg"
+231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
+232
+233 # Build and sign the Permission package then save it to a file.
+234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv)
+235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
+236 $permissionPackageStream.CopyTo($permissionPackage)
+237 $permissionPackage.Close()
+238 }
+```
+
+Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values:
+
+* **$ownerOnly** – Permission to modify this setting is granted only to SEMM.
+* **$ownerAndLocalUser** – Permission to modify this setting is granted to a local user booting to Surface UEFI, as well as to SEMM.
+
+You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section of this article.
+
+### Configure settings
+
+The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows:
+
+```
+282 # Configure Settings
+283 foreach ($uefiV2 IN $surfaceDevices.Values) {
+284 # In this demo, we will start by setting every setting to the default factory setting.
+285 # You may want to start by doing this in your scripts
+286 # so that every setting gets set to a known state.
+287 foreach ($setting IN $uefiV2.Settings.Values) {
+288 $setting.ConfiguredValue = $setting.DefaultValue
+289 }
+290
+291 # If you want to set something to a different value from the default,
+292 # here are examples of how to accomplish this.
+293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled"
+294
+295 # If you want to leave the setting unmodified, set it to $null
+296 # PowerShell has issues setting things to $null so ClearConfiguredValue()
+297 # is supplied to do this explicitly.
+298 # Here is an example of leaving the UEFI administrator password as-is,
+299 # even after we initially set it to factory default above.
+300 $uefiV2.SettingsById[501].ClearConfiguredValue()
+301
+302 # Create a unique package name based on family and LSV.
+303 # We will choose a name that can be parsed by later scripts.
+304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg"
+305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName
+306
+307 # Build and sign the Settings package then save it to a file.
+308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv)
+309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write)
+310 $settingsPackageStream.CopyTo($settingsPackage)
+311 $settingsPackage.Close()
+312 }
+```
+
+Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**.
+
+If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**.
+
+You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article.
+
+### Settings registry key
+
+To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location:
+
+`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000`
+
+The following code fragment, found on lines 352-363, is used to write this registry key:
+
+```
+352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM"
+353 New-RegKey $SurfaceRegKey
+354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue
+355
+356 If ($SurfaceRegValue -eq $null)
+357 {
+358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null
+359 }
+360 Else
+361 {
+362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1
+363 }
+```
+
+### Settings names and IDs
+
+To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center.
+
+The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
+
+The following tables show the available settings for Surface Pro 4 and Surface Book:
+
+*Table 1. Surface UEFI settings for Surface Pro 4*
+
+| Setting ID | Setting Name | Description | Default Setting |
+| --- | --- | --- | --- |
+|501| Password | UEFI System Password | |
+|200| Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty |
+|300| Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled |
+|301| Docking USB Port | Docking USB Port enabled or disabled | Enabled |
+|302| Front Camera | Front Camera enabled or disabled | Enabled |
+|303| Bluetooth | Bluetooth radio enabled or disabled | Enabled |
+|304| Rear Camera | Rear Camera enabled or disabled | Enabled |
+|305| IR Camera | InfraRed Camera enabled or disabled | Enabled |
+|308| Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled |
+|310| Type Cover | Surface Type Cover connector | Enabled |
+|320| On-board Audio | On-board audio enabled or disabled | Enabled |
+|330| Micro SD Card | Micro SD Card enabled or disabled | Enabled |
+|370| USB Port 1 | Side USB Port (1) | UsbPortEnabled |
+|400| IPv6 for PXE Boot | Enable IPv6 PXE boot before IPv4 PXE boot |Disabled |
+|401| Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled |
+|402| Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled |
+|403| USB Boot | Enable booting from USB devices | Enabled |
+|500| TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled |
+|600| Security | UEFI Security Page Display enabled or disabled | Enabled |
+|601| Devices | UEFI Devices Page Display enabled or disabled | Enabled |
+|602| Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled |
+
+*Table 2. Surface UEFI settings for Surface Book*
+
+| Setting ID | Setting Name | Description | Default Setting |
+| --- | --- | --- | --- |
+| 501 | Password | UEFI System Password | |
+| 200 | Secure Boot Keys | Secure Boot signing keys to enable for EFI applications | MsPlus3rdParty |
+| 300 | Trusted Platform Module (TPM) | TPM device enabled or disabled | Enabled |
+| 301 | Docking USB Port | Docking USB Port enabled or disabled | Enabled |
+| 302 | Front Camera | Front Camera enabled or disabled | Enabled |
+| 303 | Bluetooth | Bluetooth radio enabled or disabled | Enabled |
+| 304 | Rear Camera | Rear Camera enabled or disabled | Enabled |
+| 305 | IR Camera | InfraRed Camera enabled or disabled | Enabled |
+| 308 | Wi-Fi and Bluetooth | Wi-Fi and Bluetooth enabled or disabled | Enabled |
+| 320 | On-board Audio | On-board audio enabled or disabled | Enabled |
+| 400 | IPv6 for PXE Boot Enable | IPv6 PXE boot before IPv4 PXE boot | Disabled |
+| 401 | Alternate Boot | Alternate Boot allows users to override the boot order by holding the volume down button when powering up the device | Enabled |
+| 402 | Boot Order Lock | Boot Order variable lock enabled or disabled | Disabled |
+| 403 | USB Boot | Enable booting from USB devices | Enabled |
+| 500 | TPM clear EFI protocol | Enable EFI protocol for invoking TPM clear | Disabled |
+| 600 | Security | UEFI Security Page Display enabled or disabled | Enabled |
+| 601 | Devices | UEFI Devices Page Display enabled or disabled | Enabled |
+| 602 | Boot | UEFI Boot Manager Page Display enabled or disabled | Enabled |
+
+## Deploy SEMM Configuration Manager scripts
+
+After your scripts are prepared to configure and enable SEMM on the client device, the next step is to add these scripts as an application in Configuration Manager. Before you open Configuration Manager, ensure that the following files are in a shared folder that does not include other files:
+
+* ConfigureSEMM.ps1
+* ResetSEMM.ps1
+* Your SEMM certificate (for example SEMMCertificate.pfx)
+
+The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is:
+
+`Powershell.exe -file “.\ConfigureSEMM.ps1”`
+
+The command to uninstall SEMM with ResetSEMM.ps1 is:
+
+`Powershell.exe -file “.\ResetSEMM.ps1”`
+
+To add the SEMM Configuration Manager scripts to Configuration Manager as an application, use the following process:
+
+1. Start the Create Application Wizard using Step 1 through Step 5 from the [Deploy Microsoft Surface UEFI Manager](#deploy-microsoft-surface-uefi-manager) section earlier in this article.
+
+2. Proceed through The Create Application Wizard as follows:
+
+ - **General** – Select **Manually specify the application information**, and then click **Next**.
+
+ - **General Information** – Enter a name for the application (for example SEMM) and any other information you want such as publisher, version, or comments on this page. Click **Next** to proceed.
+
+ - **Application Catalog** – The fields on this page can be left with their default values. Click **Next**.
+
+ - **Deployment Types** – Click **Add** to start the Create Deployment Type Wizard.
+
+ - Proceed through the steps of the Create Deployment Type Wizard, as follows:
+
+ * **General** – Click **Script Installer** from the **Type** drop-down menu. The **Manually specify the deployment type information** option will automatically be selected. Click **Next** to proceed.
+ * **General Information** – Enter a name for the deployment type (for example SEMM Configuration Scripts), and then click **Next** to continue.
+ * **Content** – Click **Browse** next to the **Content Location** field, and then click the folder where your SEMM Configuration Manager scripts are located. In the **Installation Program** field, type the [installation command](#deploy-semm-configuration-manager-scripts) found earlier in this article. In the **Uninstall Program** field, enter the [uninstallation command](#deploy-semm-configuration-manager-scripts) found earlier in this article (shown in Figure 2). Click **Next** to move to the next page.
+
+ 
+
+ *Figure 2. Set the SEMM Configuration Manager scripts as the install and uninstall commands*
+
+ * **Detection Method** – Click **Add Clause** to add the SEMM Configuration Manager script registry key detection rule. The **Detection Rule** window is displayed, as shown in Figure 3. Use the following settings:
+
+ - Click **Registry** from the **Setting Type** drop-down menu.
+ - Click **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
+ - Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field.
+ - Enter **Enabled_Version1000** in the **Value** field.
+ - Click **String** from the **Data Type** drop-down menu.
+ - Click the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
+ - Enter **1** in the **Value** field.
+ - Click **OK** to close the **Detection Rule** window.
+
+ 
+
+ *Figure 3. Use a registry key to identify devices enrolled in SEMM*
+
+ * Click **Next** to proceed to the next page.
+
+ * **User Experience** – Click **Install for system** from the **Installation Behavior** drop-down menu. If you want your users to record and enter the certificate thumbprint themselves, leave the logon requirement set to **Only when a user is logged on**. If you want your administrators to enter the thumbprint for users and the users do not need to see the thumbprint, click **Whether or not a user is logged on** from the **Logon Requirement** drop-down menu.
+
+ * **Requirements** – The ConfigureSEMM.ps1 script automatically verifies that the device is a Surface device before attempting to enable SEMM. However, if you intend to deploy this script application to a collection with devices other than those to be managed with SEMM, you could add requirements here to ensure this application would run only on Surface devices or devices you intend to manage with SEMM. Click **Next** to continue.
+
+ * **Dependencies** – Click **Add** to open the **Add Dependency** window.
+
+ * Click **Add** to open the **Specify Required Application** window.
+
+ - Enter a name for the SEMM dependencies in the **Dependency Group Name** field (for example, *SEMM Assemblies*).
+
+ - Click **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then click **OK** to close the **Specify Required Application** window.
+
+ * Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Click **OK** to close the **Add Dependency** window.
+
+ * Click **Next** to proceed.
+
+ * **Summary** – The information you have entered throughout the Create Deployment Type wizard is displayed on this page. Click **Next** to confirm your selections.
+
+ * **Progress** – A progress bar and status as the deployment type is added for the SEMM script application is displayed on this page.
+
+ * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Click **Close** to finish the Create Deployment Type Wizard.
+
+ * **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Click **Next** to create the application.
+
+ * **Progress** – A progress bar and status as the application is added to the Software Library is displayed on this page.
+
+ * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+
+After the script application is available in the Software Library of Configuration Manager, you can distribute and deploy SEMM using the scripts you prepared to devices or collections. If you have configured the Microsoft Surface UEFI Manager assemblies as a dependency that will be automatically installed, you can deploy SEMM in a single step. If you have not configured the assemblies as a dependency, they must be installed on the devices you intend to manage before you enable SEMM.
+
+When you deploy SEMM using this script application and with a configuration that is visible to the end user, the PowerShell script will start and the thumbprint for the certificate will be displayed by the PowerShell window. You can have your users record this thumbprint and enter it when prompted by Surface UEFI after the device reboots.
+
+Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
+
+Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index 043150076c..1cd440c9aa 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -11,9 +11,9 @@ author: Scottmca
# Using the Microsoft Surface Deployment Accelerator deployment share
-With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
+With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
-For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/en-us/itpro/surface/microsoft-surface-deployment-accelerator).
+For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator).
Using SDA provides these primary benefits:
@@ -21,7 +21,7 @@ Using SDA provides these primary benefits:
* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user.
-This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail.
+This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail.
## Perform a Proof of Concept deployment
@@ -41,7 +41,7 @@ Some recommendations for a successful PoC with SDA are:
* Use offline files with SDA to further reduce installation times.
-* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/en-us/support/contact-us-business).
+* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/support/contact-us-business).
## Perform a pilot deployment
@@ -52,7 +52,7 @@ A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstra
For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices.
-For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices.
+For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices.
## Import additional drivers
@@ -97,7 +97,7 @@ To import drivers for a peripheral device:
After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately.
>[!NOTE]
->You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models.
+>You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models.
## Import additional applications
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index 2e31b14786..8411e8ef7f 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -5,6 +5,7 @@
### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
+## [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
## [Get Minecraft Education Edition](get-minecraft-for-education.md)
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index f03105f10d..3ce92ed3d0 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,6 +12,14 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## November 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Windows Store for Business. |
+| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
+| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
+
## September 2016
| New or changed topic | Description|
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index dcfe03beba..766978b300 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -728,7 +728,7 @@ To implement this method, perform the following steps:
Put the student information in the format the bulk-import feature requires.
2. Bulk-import the student information into Azure AD.
- For more information about how to perform this step, see the [Bulk-import user and group accounts in Office 365](#bulk-import-user-and-group-accounts-in-office-365) section.
+ For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.
#### Summary
@@ -1851,4 +1851,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723347)
* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/en-us/windows/mt723344)
* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/en-us/windows/mt723343)
-* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
\ No newline at end of file
+* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
new file mode 100644
index 0000000000..8a42859576
--- /dev/null
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -0,0 +1,180 @@
+---
+title: Education scenarios Windows Store for Business
+description: Learn how IT admins and teachers can use Windows Store for Business to acquire and manage apps in schools.
+keywords: ["school"]
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+author: trudyha
+---
+
+# Working with Windows Store for Business – education scenarios
+
+Learn about education scenarios for Windows Store for Business. IT admins and teachers can use Windows Store for Business to find, acquire, distribute, and manage apps.
+
+## Manage Windows Store for Business settings
+
+### Access to Windows Store for Business
+Applies to: IT admins
+
+By default, when a teacher with a work or school account acquires Minecraft: Education Edition,they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
+
+However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page.
+
+**To manage educator access to Windows Store for Business**
+1. In Windows Store for Business, click **Settings**, and then click **Permissions**.
+
+ 
+
+2. Select, or clear **Allow educators in my organization to sign up for the Windows Store for Business**.
+
+### Windows Store for Business permissions
+Applies to: IT admins
+
+**Minecraft: Education Edition** adds a new role for teachers: **Basic Purchaser**. As an Admin, you can assign this role to teachers in your organization. When a teacher has been granted this role, they can:
+- View the Minecraft: Education Edition product description page
+- Acquire and manage Minecraft: Education Edition, and other apps from Store for Business
+- Use info on Support page (including links to documentation and access to support through customer service)
+
+ 
+
+**To assign Basic Purchaser role**
+
+1. Sign in to Store for Business
+
+ > [!NOTE]
+ > You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
+
+2. Click **Settings**, and then choose **Permissions**.
+
+ 
+3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
+
+ 
+
+ Windows Store for Business updates the list of people and permissions.
+
+ 
+
+### Private store
+
+Applies to: IT admins
+
+When you create you Windows Store for Business account, you'll have a set of apps included for free in your private store. Apps in your private store are available for all people in your organization to install and use.
+
+These apps will automatically be in your private store:
+- Word mobile
+- Excel mobile
+- PowerPoint mobile
+- OneNote
+- Sway
+- Fresh Paint
+- Minecraft: Education Edition
+
+As an admin, you can remove any of these apps from the private store if you'd prefer to control how apps are distributed.
+
+## Manage domain settings
+
+Applies to: IT admins
+
+### Self-service sign up
+Self-service sign up makes it easier for teachers and students in your organization to get started with **Minecraft: Education Edition**. If you have self-service sign up enabled in your tenant, teachers can assign **Minecraft: Education Edition** to students before they have a work or school account. Students receive an email that steps them through the process of signing up for a work or school account. For more information on self-service sign up, see [Using self-service sign up in your organization](https://support.office.com/article/Using-self-service-sign-up-in-your-organization-4f8712ff-9346-4c6c-bb63-a21ad7a62cbd?ui=en-US&rs=en-US&ad=US).
+
+### Domain verification
+For education organizations, domain verification ensures you are on the academic verification list. As an admin, you might need to verify your domain using the Office 365 portal. For more information, see [Verify your Office 365 domain to prove ownership, nonprofit or education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590?ui=en-US&rs=en-US&ad=US).
+
+## Acquire apps
+Applies to: IT admins and teachers
+
+Find apps for your school using Windows Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
+
+**To acquire apps**
+- For info on how to acquire apps, see [Acquire apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#acquire-apps)
+
+**To add a payment method**
+
+If you the app you purchase has a price, you’ll need to provide a payment method.
+- Click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
+
+For more information on payment options, see [payment options](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business#payment-options).
+
+For more information on tax rates, see [tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
+
+### Get started with Minecraft: Education Edition
+Teachers and IT administrators can now get trials or subscriptions to Minecraft: Education Edition and add it to Windows Store for Business for distribution.
+- [Get started with Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/get-minecraft-for-education)
+- [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft)
+- [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft)
+
+
+## Manage WSfB inventory
+Applies to: IT admins and teachers
+
+### Manage purchases
+IT admins and teachers in educational settings can purchase apps from Windows Store for Business. Teachers need to have the Basic purchaser role, but if they've acquired Minecraft: Education Edition, they have the role by default.
+
+While both groups can purchase apps, they can't manage purchases made by the other group.
+
+Admins can:
+- Manage and distribute apps they purchased and apps that are purchased by other admins in the organization.
+- View apps purchased by teachers.
+- View and manage apps on **Inventory**, under **Admin purchases**.
+
+Teachers can:
+- Manage and distribute apps they purchased.
+- View and manage apps on **Inventory**, under **User purchases**.
+
+> [!NOTE]
+> Teachers can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
+
+
+### Distribute apps
+
+Manage and distribute apps to students and others in your organization. Different options are avaialble for admins and teachers.
+
+Applies to: IT admins
+
+**To manage and distribute apps**
+- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/school-get-minecraft#distribute_minecraft)
+- For info on how to manage and distribute other apps, see [App inventory management - Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business)
+
+Applies to: Teachers
+
+For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft#distribute-minecraft).
+
+**To assign an app to a student**
+
+1. Sign in to the Store for Business.
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address, or name for the student that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+### Purchase additional licenses
+Applies to: IT admins and teachers
+
+You can manage current app licenses, or purchase more licenses for apps in your inventory.
+
+**To purchase additional app licenses**
+1. From **Inventory**, click an app.
+2. On the app page, click **View app details**.
+3. From this page, click **Buy more** to purchase more licenses
+-OR-
+Click **Manage** to distribute or reclaim current licenses.
+
+You'll have a summary of current license availability.
+
+**Minecraft: Education Edition subscriptions**
+
+Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Windows Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses.
+
+## Manage WSfB order history
+Applies to: IT admins and teachers
+
+You can manage your orders through Windows Store for Business. For info on order history and how to refund an order, see [Manage app orders in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/manage-orders-windows-store-for-business).
+
+It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**.
+
+> [!NOTE]
+For **Minecraft: Education Edition**, you can request a refund through Windows Store for Business for two months from the purchase date. After two months, refunds require a support call.
\ No newline at end of file
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index e0880b7a0e..200b8a1ce9 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerMS
---
-# Get Minecraft Education Edition
+# Get Minecraft: Education Edition
**Applies to:**
@@ -26,7 +26,7 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
## Prerequisites
- **Minecraft: Education Edition** requires Windows 10.
-- Early access to **Minecraft: Education Edition** is offered to education tenants that are managed by Azure Active Directory (Azure AD).
+- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
- If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
* Office 365 Education, which includes online versions of Office apps plus 1 TB online storage and [Microsoft Classroom](https://classroom.microsoft.com/), is free for teachers and students. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
* If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
diff --git a/education/windows/images/mc-dnld-others-teacher.png b/education/windows/images/mc-dnld-others-teacher.png
index 24fa7ae20d..aa5df16595 100644
Binary files a/education/windows/images/mc-dnld-others-teacher.png and b/education/windows/images/mc-dnld-others-teacher.png differ
diff --git a/education/windows/images/mc-install-for-me-teacher.png b/education/windows/images/mc-install-for-me-teacher.png
index 7bc90ad129..e303e63660 100644
Binary files a/education/windows/images/mc-install-for-me-teacher.png and b/education/windows/images/mc-install-for-me-teacher.png differ
diff --git a/education/windows/images/minecraft-assign-to-people-name.png b/education/windows/images/minecraft-assign-to-people-name.png
index e39891698b..38994cc58f 100644
Binary files a/education/windows/images/minecraft-assign-to-people-name.png and b/education/windows/images/minecraft-assign-to-people-name.png differ
diff --git a/education/windows/images/minecraft-get-the-app.png b/education/windows/images/minecraft-get-the-app.png
index f30ab8ac68..47024aab6c 100644
Binary files a/education/windows/images/minecraft-get-the-app.png and b/education/windows/images/minecraft-get-the-app.png differ
diff --git a/education/windows/images/minecraft-student-install-email.png b/education/windows/images/minecraft-student-install-email.png
index aa562a0f01..225e8d899e 100644
Binary files a/education/windows/images/minecraft-student-install-email.png and b/education/windows/images/minecraft-student-install-email.png differ
diff --git a/education/windows/images/windows-10-for-education-banner.png b/education/windows/images/windows-10-for-education-banner.png
new file mode 100644
index 0000000000..cf33adc9b6
Binary files /dev/null and b/education/windows/images/windows-10-for-education-banner.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 98aaf94eef..d64f4ca4cc 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -9,11 +9,11 @@ ms.pagetype: edu
author: CelesteDG
---
+
+
# Windows 10 for Education
-[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers, and students to do great things.
-
##  Learn
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 3efe123ac0..0adea43fb7 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -8,13 +8,13 @@ ms.sitesec: library
author: jdeckerMS
---
-# For IT administrators: get Minecraft: Education Edition
+# For IT administrators - get Minecraft: Education Edition
**Applies to:**
- Windows 10
-When you sign up for early access to [Minecraft: Education Edition](http://education.minecraft.net), Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
+When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
> **Note**: If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
@@ -48,6 +48,8 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+
### Minecraft: Education Edition - volume licensing
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
@@ -68,7 +70,7 @@ Admins can also add Minecraft: Education Edition to the private store. This allo
Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Windows Store for Business.
-
+
Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.
@@ -78,27 +80,27 @@ Here's the page you'll see for Minecraft: Education Edition licenses purchased t
You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.
1. Sign in to Windows Store for Business.
-2. Click **Manage**, and then click **Install for me**.
+2. Click **Manage**, and then click **Install**.
- 
+ 
3. Click **Install**.
### Assign to others
Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. You can assign the app to individuals, groups, or add it to your private store, where students and teachers in your organization can download the app.
+
**To assign to others**
1. Sign in to Windows Store for Business.
2. Click **Manage**.
- 
-3. Click **Assign to people**.
+ 
+3. Click **Invite people**.
- 
-4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
- You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
-
+ You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
+
**To finish Minecraft install (for students)**
@@ -150,7 +152,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
@@ -159,9 +161,9 @@ You'll download a .zip file, extract the files, and then use one of the files to
6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
-## Manage Minecraft: Education Edition
+
-### Access to Windows Store for Business
+
+
+
+
+
-
## Learn more
+[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
+Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 7c05de544c..e4002090f5 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -25,11 +25,9 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
-> **Tip!**
+> [!TIP]
> To exit **Take a Test**, press Ctrl+Alt+Delete.
-
-
## How you use Take a Test
@@ -47,7 +45,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
1. Sign into the device with an administrator account.
2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
3. Select an existing account to use as the dedicated testing account.
- >**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+
+ > [!NOTE]
+ > If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I don’t have this person’s sign-in information** > **Add a user without a Microsoft account**.
+
4. Specify an assessment URL.
5. Click **Save**.
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index ee487613c0..362d143475 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerMS
---
-# For teachers: get Minecraft: Education Edition
+# For teachers - get Minecraft: Education Edition
**Applies to:**
@@ -38,6 +38,8 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+
## Distribute Minecraft
After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
@@ -52,7 +54,7 @@ After Minecraft: Education Edition is added to your Windows Store for Business i
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
1. Sign in to Windows Store for Business.
-2. Click **Manage**, and then click **Install for me**.
+2. Click **Manage**, and then click **Install**.
@@ -65,17 +67,17 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to Windows Store for Business.
2. Click **Manage**.
- 
+ 
-3. Click **Assign to people**.
-
- 
+3. Click **Invite people**.
-4. Type the name, or email address of the student you want to assign the app to, and then click **Assign**.
+4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
- You can only assign the app to students with work or school accounts. If you don't find the student, contact your IT admin to add a work or school account for the student.
+ 
+
+ You can assign the app to students with work or school accounts.
+ If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Office 365 portal where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
- 
**To finish Minecraft install (for students)**
@@ -152,6 +154,9 @@ If you are still having trouble installing the app, you can get more help on our
## Related topics
+[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
+Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
+
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md
index 2836e9c7ab..db147e8a98 100644
--- a/mdop/appv-v5/TOC.md
+++ b/mdop/appv-v5/TOC.md
@@ -40,6 +40,7 @@
##### [About App-V 5.1 Reporting](about-app-v-51-reporting.md)
##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database 5.1](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md)
#### [App-V 5.1 Deployment Checklist](app-v-51-deployment-checklist.md)
+#### [Deploying Microsoft Office 2016 by Using App-V 5.1](deploying-microsoft-office-2016-by-using-app-v51.md)
#### [Deploying Microsoft Office 2013 by Using App-V 5.1](deploying-microsoft-office-2013-by-using-app-v51.md)
#### [Deploying Microsoft Office 2010 by Using App-V 5.1](deploying-microsoft-office-2010-by-using-app-v51.md)
### [Operations for App-V 5.1](operations-for-app-v-51.md)
@@ -155,6 +156,7 @@
##### [About App-V 5.0 Reporting](about-app-v-50-reporting.md)
##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database.md)
#### [App-V 5.0 Deployment Checklist](app-v-50-deployment-checklist.md)
+#### [Deploying Microsoft Office 2016 by Using App-V](deploying-microsoft-office-2016-by-using-app-v.md)
#### [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md)
#### [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md)
### [Operations for App-V 5.0](operations-for-app-v-50.md)
diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md
index aeca744a26..4ea53c7fc1 100644
--- a/mdop/appv-v5/about-app-v-50-sp3.md
+++ b/mdop/appv-v5/about-app-v-50-sp3.md
@@ -109,7 +109,7 @@ Review the following information before you start the upgrade:
You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.0 SP3.
[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)
@@ -521,7 +521,7 @@ You can manage connection groups more easily by using optional packages and othe
Management console
-
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md#bkmk-admin-pub-pkg-only-posh)
+
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md)
PowerShell
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
index a0615d5921..dfb5138d48 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
@@ -157,7 +157,6 @@ Complete the following steps to create an Office 2013 package for App-V 5.0 or l
**Important**
In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
-
### Review prerequisites for using the Office Deployment Tool
@@ -189,11 +188,9 @@ The computer on which you are installing the Office Deployment Tool must have:
-
**Note**
In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
-
### Create Office 2013 App-V Packages Using Office Deployment Tool
@@ -242,8 +239,6 @@ The XML file that is included in the Office Deployment Tool specifies the produc
**Note**
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
-
-
The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
@@ -300,8 +295,6 @@ The XML file that is included in the Office Deployment Tool specifies the produc
-
-
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
@@ -811,7 +804,7 @@ The following table describes the requirements and options for deploying Visio 2
How do I package and publish Visio 2013 and Project 2013 with Office?
You must include Visio 2013 and Project 2013 in the same package with Office.
-
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](../solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md#bkmk-pkg-pub-reqs).
+
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
How can I deploy Visio 2013 and Project 2013 to specific users?
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
index cc8b0e0899..f3fcc6f7b2 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
@@ -62,7 +62,6 @@ Use the following table to get information about supported versions of Office an
-
### Packaging, publishing, and deployment requirements
Before you deploy Office by using App-V, review the following requirements.
@@ -811,7 +810,7 @@ The following table describes the requirements and options for deploying Visio 2
How do I package and publish Visio 2013 and Project 2013 with Office?
You must include Visio 2013 and Project 2013 in the same package with Office.
-
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](../solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md#bkmk-pkg-pub-reqs).
+
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
How can I deploy Visio 2013 and Project 2013 to specific users?
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
new file mode 100644
index 0000000000..326877092e
--- /dev/null
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -0,0 +1,876 @@
+---
+title: Deploying Microsoft Office 2016 by Using App-V
+description: Deploying Microsoft Office 2016 by Using App-V
+author: jamiejdt
+ms.assetid: cc675cde-cb8d-4b7c-a700-6104b78f1d89
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Deploying Microsoft Office 2016 by Using App-V
+
+
+Use the information in this article to use Microsoft Application Virtualization 5.0, or later versions, to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md).
+
+This topic contains the following sections:
+
+- [What to know before you start](#bkmk-before-you-start)
+
+- [Creating an Office 2016 package for App-V with the Office Deployment Tool](#bkmk-create-office-pkg)
+
+- [Publishing the Office package for App-V 5.0](#bkmk-pub-pkg-office)
+
+- [Customizing and managing Office App-V packages](#bkmk-custmz-manage-office-pkgs)
+
+## What to know before you start
+
+
+Before you deploy Office 2016 by using App-V, review the following planning information.
+
+### Supported Office versions and Office coexistence
+
+Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
+
+
+
+
+
+
+
+
+
Information to review
+
Description
+
+
+
+
+
[Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)
+
+
Supported versions of Office
+
Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
+
Office licensing options
+
+
+
+
[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)
+
Considerations for installing different versions of Office on the same computer
+
+
+
+
+
+
+### Packaging, publishing, and deployment requirements
+
+Before you deploy Office by using App-V, review the following requirements.
+
+
+
+
+
+
+
+
+
Task
+
Requirement
+
+
+
+
+
Packaging
+
+
All of the Office applications that you want to deploy to users must be in a single package.
+
In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
+
If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
+
+
+
+
Publishing
+
+
You can publish only one Office package to each client computer.
+
You must publish the Office package globally. You cannot publish to the user.
+
+
+
+
Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
+
+
Office 365 ProPlus
+
Visio Pro for Office 365
+
Project Pro for Office 365
+
+
You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).
+
You don’t use shared computer activation if you’re deploying a volume licensed product, such as:
+
+
Office Professional Plus 2016
+
Visio Professional 2016
+
Project Professional 2016
+
+
+
+
+
+
+
+### Excluding Office applications from a package
+
+The following table describes the recommended methods for excluding specific Office applications from a package.
+
+
+
+
+
+
+
+
+
Task
+
Details
+
+
+
+
+
Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.
+
+
Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
+
For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
+
+
+
+
Modify the DeploymentConfig.xml file
+
+
Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
+
For more information, see [Disabling Office 2016 applications](#bkmk-disable-office-apps).
+
+
+
+
+
+
+
+## Creating an Office 2016 package for App-V with the Office Deployment Tool
+
+
+Complete the following steps to create an Office 2016 package for App-V 5.0 or later.
+
+**Important**
+In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
+
+
+### Review prerequisites for using the Office Deployment Tool
+
+The computer on which you are installing the Office Deployment Tool must have:
+
+
+
+
+
+
+
+
+
Prerequisite
+
Description
+
+
+
+
+
Prerequisite software
+
.Net Framework 4
+
+
+
Supported operating systems
+
+
64-bit version of Windows 10
+
64-bit version of Windows 8 or 8.1
+
64-bit version of Windows 7
+
+
+
+
+
+
+**Note**
+In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing.
+
+
+### Create Office 2016 App-V Packages Using Office Deployment Tool
+
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing.
+
+Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
+
+### Download the Office Deployment Tool
+
+Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
+
+1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
+
+2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+
+ Example: \\\\Server\\Office2016
+
+3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+
+### Download Office 2016 applications
+
+After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package.
+
+The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
+
+1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+
+ 1. Open the sample XML file in Notepad or your favorite text editor.
+
+ 2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
+
+ ``` syntax
+
+
+
+
+
+
+
+
+
+
+ ```
+
+ **Note**
+ The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
+
+ The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+
+
+
+
+
+
+
+
+
+
Input
+
Description
+
Example
+
+
+
+
+
Add element
+
Specifies the products and languages to include in the package.
+
N/A
+
+
+
OfficeClientEdition (attribute of Add element)
+
Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
+
OfficeClientEdition="32"
+
OfficeClientEdition="64"
+
+
+
Product element
+
Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
+
Product ID ="O365ProPlusRetail "
+
Product ID ="VisioProRetail"
+
Product ID ="ProjectProRetail"
+
Product ID ="ProPlusVolume"
+
Product ID ="VisioProVolume"
+
Product ID = "ProjectProVolume"
+
+
+
Language element
+
Specifies the language supported in the applications
+
Language ID="en-us"
+
+
+
Version (attribute of Add element)
+
Optional. Specifies a build to use for the package
+
Defaults to latest advertised build (as defined in v32.CAB at the Office source).
+
15.1.2.3
+
+
+
SourcePath (attribute of Add element)
+
Specifies the location in which the applications will be saved to.
+
Sourcepath = "\\Server\Office2016”
+
+
+
Branch (attribute of Add element)
+
Optional. Specifies the update branch for the product that you want to download or install.
For more information about update branches, see Overview of update branches for Office 365 ProPlus.
+
Branch = "Business"
+
+
+
+
+ After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+
+ ``` syntax
+ \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
+ ```
+
+ In the example:
+
+
+
+
+
+
+
+
+
\\server\Office2016
+
is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
+
+
+
Setup.exe
+
is the Office Deployment Tool.
+
+
+
/download
+
downloads the Office 2016 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2016 App-V package with Volume Licensing.
+
+
+
\\server\Office2016\Customconfig.xml
+
passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2016.
+
+
+
+
+
+
+### Convert the Office applications into an App-V package
+
+After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model.
+
+**Summary of what you’ll need to do:**
+
+- Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
+
+- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+
+ The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
+
+
+
+
+
+
+
+
+
+
Product ID
+
Volume Licensing
+
Subscription Licensing
+
+
+
+
+
Office 2016
+
ProPlusVolume
+
O365ProPlusRetail
+
+
+
Office 2016 with Visio 2016
+
ProPlusVolume
+
VisioProVolume
+
O365ProPlusRetail
+
VisioProRetail
+
+
+
Office 2016 with Visio 2016 and Project 2016
+
ProPlusVolume
+
VisioProVolume
+
ProjectProVolume
+
O365ProPlusRetail
+
VisioProRetail
+
ProjectProRetail
+
+
+
+
+
+
+**How to convert the Office applications into an App-V package**
+
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+
+
+
+
+
+
+
+
+
Parameter
+
What to change the value to
+
+
+
+
+
SourcePath
+
Point to the Office applications downloaded earlier.
+
+
+
ProductID
+
Specify the type of licensing, as shown in the following examples:
In this example, the following changes were made to create a package with Volume licensing:
+
+
+
+
+
+
+
+
SourcePath
+
is the path, which was changed to point to the Office applications that were downloaded earlier.
+
+
+
Product ID
+
for Office was changed to ProPlusVolume.
+
+
+
Product ID
+
for Visio was changed to VisioProVolume.
+
+
+
+
+
+
+
+
+
ExcludeApp (optional)
+
Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
+
+
+
PACKAGEGUID (optional)
+
By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
+
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
+
+ Note
+
Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+
+
+
+
+
+
+
+
+
+
+2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
+
+ For example:
+
+ ``` syntax
+ \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml \\server\share\Office2016AppV
+ ```
+
+ In the example:
+
+
+
+
+
+
+
+
+
\\server\Office2016
+
is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
+
+
+
Setup.exe
+
is the Office Deployment Tool.
+
+
+
/packager
+
creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.
+
+
+
\\server\Office2016\Customconfig.xml
+
passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
+
+
+
\\server\share\Office 2016AppV
+
specifies the location of the newly created Office App-V package.
+
+
+
+
+
+
+ After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+
+ - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
+
+ - **WorkingDir**
+
+ **Note**
+ To troubleshoot any issues, see the log files in the %temp% directory (default).
+
+
+
+3. Verify that the Office 2016 App-V package works correctly:
+
+ 1. Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
+
+ 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+## Publishing the Office package for App-V 5.0
+
+
+Use the following information to publish an Office package.
+
+### Methods for publishing Office App-V packages
+
+Deploy the App-V package for Office 2016 by using the same methods you use for any other package:
+
+- System Center Configuration Manager
+
+- App-V Server
+
+- Stand-alone through PowerShell commands
+
+### Publishing prerequisites and requirements
+
+
+
+
+
+
+
+
+
Prerequisite or requirement
+
Details
+
+
+
+
+
Enable PowerShell scripting on the App-V clients
+
To publish Office 2016 packages, you must run a script.
+
Package scripts are disabled by default on App-V clients. To enable scripting, run the following PowerShell command:
Extension points in the Office App-V package require installation at the computer level.
+
When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages.
+
+
+
+
+
+
+### How to publish an Office package
+
+Run the following command to publish an Office package globally:
+
+- `Add-AppvClientPackage | Publish-AppvClientPackage –global`
+
+- From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
+
+## Customizing and managing Office App-V packages
+
+
+To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections.
+
+- [Enabling Office plug-ins by using connection groups](#bkmk-enable-office-plugins)
+
+- [Disabling Office 2016 applications](#bkmk-disable-office-apps)
+
+- [Disabling Office 2016 shortcuts](#bkmk-disable-shortcuts)
+
+- [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd)
+
+- [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd)
+
+- [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project)
+
+### Enabling Office plug-ins by using connection groups
+
+Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
+
+**To enable plug-ins for Office App-V packages**
+
+1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
+
+2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+
+3. Create an App-V 5.0 package that includes the desired plug-ins.
+
+4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet.
+
+5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
+
+ **Important**
+ The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+
+
+
+6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
+
+7. Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2016 App-V package has.
+
+ Since the Office 2016 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published.
+
+8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
+
+9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
+
+10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2016 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
+
+11. After you successfully publish both packages and enable the Connection Group, start the target Office 2016 application and verify that the plug-in you published and added to the connection group works as expected.
+
+### Disabling Office 2016 applications
+
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+**Note**
+To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
+
+
+**To disable an Office 2016 application**
+
+1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
+
+2. Search for the Office application you want to disable, for example, Access 2016.
+
+3. Change the value of "Enabled" from "true" to "false."
+
+4. Save the Deployment Configuration File.
+
+5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
+
+ ``` syntax
+
+
+ Lync 2016
+
+
+
+
+
+
+ Access 2016
+
+
+
+
+ ```
+
+6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+### Disabling Office 2016 shortcuts
+
+You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
+
+**To disable shortcuts for Office 2016 applications**
+
+1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
+
+2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut.
+
+ ``` syntax
+ Shortcuts
+
+ -->
+
+
+
+
+ [{Common Programs}]\Microsoft Office 2016\Access 2016.lnk
+ [{AppvPackageRoot}])office16\MSACCESS.EXE
+ [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico
+
+
+ Microsoft.Office.MSACCESS.EXE.15
+ true
+ Build a professional app quickly to manage data.
+ l
+ [{AppVPackageRoot}]\officel6\MSACCESS.EXE
+
+ ```
+
+3. Save the Deployment Configuration File.
+
+4. Republish Office 2016 App-V Package with new Deployment Configuration File.
+
+Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+
+### Managing Office 2016 package upgrades
+
+To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the following steps.
+
+**How to upgrade a previously deployed Office 2016 package**
+
+1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+
+ **Note**
+ Office App-V packages have two Version IDs:
+
+ - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+
+ - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
+
+
+
+2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+
+### Managing Office 2016 licensing upgrades
+
+If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2016 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
+
+**How to upgrade an Office 2016 License**
+
+1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package.
+
+2. Remove the unpublished Office 2016 Subscription Licensing App-V package.
+
+3. Restart the computer.
+
+4. Add the new Office 2016 App-V Package Volume Licensing.
+
+5. Publish the added Office 2016 App-V Package with Volume Licensing.
+
+An Office 2016 App-V Package with your chosen licensing will be successfully deployed.
+
+### Deploying Visio 2016 and Project 2016 with Office
+
+The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office.
+
+
+
+
+
+
+
+
+
Task
+
Details
+
+
+
+
+
How do I package and publish Visio 2016 and Project 2016 with Office?
+
You must include Visio 2016 and Project 2016 in the same package with Office.
+
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
+
+
+
How can I deploy Visio 2016 and Project 2016 to specific users?
+
Use one of the following methods:
+
+
+
+
+
+
+
+
If you want to...
+
...then use this method
+
+
+
+
+
Create two different packages and deploy each one to a different group of users
+
Create and deploy the following packages:
+
+
A package that contains only Office - deploy to computers whose users need only Office.
+
A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.
+
+
+
+
If you want only one package for the whole organization, or if you have users who share computers:
+
Follows these steps:
+
+
Create a package that contains Office, Visio, and Project.
+
Deploy the package to all users.
+
Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.
+
+
+
+
+
+
+
+
+
+
+
+## Additional resources
+
+
+**Office 2016 App-V 5.0 Packages 5.0 Additional Resources**
+
+[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
+
+[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680)
+
+**Office 2013 and Office 2010 App-V Packages**
+
+[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md)
+
+[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md)
+
+**Connection Groups**
+
+[Deploying Connection Groups in Microsoft App-V v5](https://go.microsoft.com/fwlink/p/?LinkId=330683)
+
+[Managing Connection Groups](managing-connection-groups.md)
+
+**Dynamic Configuration**
+
+[About App-V 5.0 Dynamic Configuration](about-app-v-50-dynamic-configuration.md)
+
+## Got a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
new file mode 100644
index 0000000000..efb700aace
--- /dev/null
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -0,0 +1,884 @@
+---
+title: Deploying Microsoft Office 2016 by Using App-V
+description: Deploying Microsoft Office 2016 by Using App-V
+author: jamiejdt
+ms.assetid: e0f4876-da99-4b89-977e-2fb6e89ea3d3
+ms.pagetype: mdop, appcompat, virtualization
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.prod: w10
+---
+
+
+# Deploying Microsoft Office 2016 by Using App-V
+
+
+Use the information in this article to use Microsoft Application Virtualization (App-V) 5.1, or later versions, to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md).
+
+This topic contains the following sections:
+
+- [What to know before you start](#bkmk-before-you-start)
+
+- [Creating an Office 2016 package for App-V with the Office Deployment Tool](#bkmk-create-office-pkg)
+
+- [Publishing the Office package for App-V 5.1](#bkmk-pub-pkg-office)
+
+- [Customizing and managing Office App-V packages](#bkmk-custmz-manage-office-pkgs)
+
+## What to know before you start
+
+
+Before you deploy Office 2016 by using App-V, review the following planning information.
+
+### Supported Office versions and Office coexistence
+
+Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
+
+
+
+
+
+
+
+
+
Information to review
+
Description
+
+
+
+
+
[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv)
+
+
Supported versions of Office
+
Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
+
Office licensing options
+
+
+
+
[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting)
+
Considerations for installing different versions of Office on the same computer
+
+
+
+
+
+### Packaging, publishing, and deployment requirements
+
+Before you deploy Office by using App-V, review the following requirements.
+
+
+
+
+
+
+
+
+
Task
+
Requirement
+
+
+
+
+
Packaging
+
+
All of the Office applications that you want to deploy to users must be in a single package.
+
In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
+
If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
+
+
+
+
Publishing
+
+
You can publish only one Office package to each client computer.
+
You must publish the Office package globally. You cannot publish to the user.
+
+
+
+
Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:
+
+
Office 365 ProPlus
+
Visio Pro for Office 365
+
Project Pro for Office 365
+
+
You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).
+
You don’t use shared computer activation if you’re deploying a volume licensed product, such as:
+
+
Office Professional Plus 2016
+
Visio Professional 2016
+
Project Professional 2016
+
+
+
+
+
+
+
+### Excluding Office applications from a package
+
+The following table describes the recommended methods for excluding specific Office applications from a package.
+
+
+
+
+
+
+
+
+
Task
+
Details
+
+
+
+
+
Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.
+
+
Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
+
For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
+
+
+
+
Modify the DeploymentConfig.xml file
+
+
Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
+
For more information, see [Disabling Office 2016 applications](#bkmk-disable-office-apps).
+
+
+
+
+
+
+
+## Creating an Office 2016 package for App-V with the Office Deployment Tool
+
+
+Complete the following steps to create an Office 2016 package for App-V 5.1 or later.
+
+**Important**
+In App-V 5.1 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
+
+
+
+### Review prerequisites for using the Office Deployment Tool
+
+The computer on which you are installing the Office Deployment Tool must have:
+
+
+
+
+
+
+
+
+
Prerequisite
+
Description
+
+
+
+
+
Prerequisite software
+
.Net Framework 4
+
+
+
Supported operating systems
+
+
64-bit version of Windows 10
+
64-bit version of Windows 8 or later
+
64-bit version of Windows 7
+
+
+
+
+
+
+
+**Note**
+In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing.
+
+
+
+### Create Office 2013 App-V Packages Using Office Deployment Tool
+
+You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing.
+
+Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
+
+### Download the Office Deployment Tool
+
+Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
+
+1. Download the [Office 2-16 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
+
+ > [!NOTE]
+ > You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
+
+2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+
+ Example: \\\\Server\\Office2016
+
+3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+
+### Download Office 2016 applications
+
+After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package.
+
+The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
+
+1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+
+ 1. Open the sample XML file in Notepad or your favorite text editor.
+
+ 2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
+
+ ``` syntax
+
+
+
+
+
+
+
+
+
+
+ ```
+
+ **Note**
+ The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
+
+
+
+ The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+
+
+
+
+
+
+
+
+
+
Input
+
Description
+
Example
+
+
+
+
+
Add element
+
Specifies the products and languages to include in the package.
+
N/A
+
+
+
OfficeClientEdition (attribute of Add element)
+
Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
+
OfficeClientEdition="32"
+
OfficeClientEdition="64"
+
+
+
Product element
+
Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
+
Product ID ="O365ProPlusRetail"
+
Product ID ="VisioProRetail"
+
Product ID ="ProjectProRetail"
+
Product ID ="ProPlusVolume"
+
Product ID ="VisioProVolume"
+
Product ID = "ProjectProVolume"
+
+
+
Language element
+
Specifies the language supported in the applications
+
Language ID="en-us"
+
+
+
Version (attribute of Add element)
+
Optional. Specifies a build to use for the package
+
Defaults to latest advertised build (as defined in v32.CAB at the Office source).
+
16.1.2.3
+
+
+
SourcePath (attribute of Add element)
+
Specifies the location in which the applications will be saved to.
+
Sourcepath = "\\Server\Office2016"
+
+
+
Branch (attribute of Add element)
+
Optional. Specifies the update branch for the product that you want to download or install.
For more information about update branches, see Overview of update branches for Office 365 ProPlus.
+
Branch = "Business"
+
+
+
+
+
+
+ After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
+
+ ``` syntax
+ \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
+ ```
+
+ In the example:
+
+
+
+
+
+
+
+
+
\\server\Office2016
+
is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
+
+
+
Setup.exe
+
is the Office Deployment Tool.
+
+
+
/download
+
downloads the Office 2016 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2016 App-V package with Volume Licensing.
+
+
+
\\server\Office2016\Customconfig.xml
+
passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2016.
+
+
+
+
+
+
+### Convert the Office applications into an App-V package
+
+After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model.
+
+**Summary of what you’ll need to do:**
+
+- Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
+
+- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
+
+ The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make.
+
+
+
+
+
+
+
+
+
+
Product ID
+
Volume Licensing
+
Subscription Licensing
+
+
+
+
+
Office 2016
+
ProPlusVolume
+
O365ProPlusRetail
+
+
+
Office 2016 with Visio 2016
+
ProPlusVolume
+
VisioProVolume
+
O365ProPlusRetail
+
VisioProRetail
+
+
+
Office 2016 with Visio 2016 and Project 2016
+
ProPlusVolume
+
VisioProVolume
+
ProjectProVolume
+
O365ProPlusRetail
+
VisioProRetail
+
ProjectProRetail
+
+
+
+
+
+
+**How to convert the Office applications into an App-V package**
+
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+
+
+
+
+
+
+
+
+
Parameter
+
What to change the value to
+
+
+
+
+
SourcePath
+
Point to the Office applications downloaded earlier.
+
+
+
ProductID
+
Specify the type of licensing, as shown in the following examples:
In this example, the following changes were made to create a package with Volume licensing:
+
+
+
+
+
+
+
+
SourcePath
+
is the path, which was changed to point to the Office applications that were downloaded earlier.
+
+
+
Product ID
+
for Office was changed to ProPlusVolume.
+
+
+
Product ID
+
for Visio was changed to VisioProVolume.
+
+
+
+
+
+
+
+
+
ExcludeApp (optional)
+
Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.
+
+
+
PACKAGEGUID (optional)
+
By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
+
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
+
+ Note
+
Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+
+
+
+
+
+
+
+
+
+
+2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
+
+ For example:
+
+ ``` syntax
+ \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml \\server\share\Office2016AppV
+ ```
+
+ In the example:
+
+
+
+
+
+
+
+
+
\\server\Office2016
+
is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
+
+
+
Setup.exe
+
is the Office Deployment Tool.
+
+
+
/packager
+
creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.
+
+
+
\\server\Office2016\Customconfig.xml
+
passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
+
+
+
\\server\share\Office 2016AppV
+
specifies the location of the newly created Office App-V package.
+
+
+
+
+ After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+
+ - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
+
+ - **WorkingDir**
+
+ **Note**
+ To troubleshoot any issues, see the log files in the %temp% directory (default).
+
+
+
+3. Verify that the Office 2016 App-V package works correctly:
+
+ 1. Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
+
+ 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+## Publishing the Office package for App-V 5.1
+
+
+Use the following information to publish an Office package.
+
+### Methods for publishing Office App-V packages
+
+Deploy the App-V package for Office 2016 by using the same methods you use for any other package:
+
+- System Center Configuration Manager
+
+- App-V Server
+
+- Stand-alone through PowerShell commands
+
+### Publishing prerequisites and requirements
+
+
+
+
+
+
+
+
+
Prerequisite or requirement
+
Details
+
+
+
+
+
Enable PowerShell scripting on the App-V clients
+
To publish Office 2016 packages, you must run a script.
+
Package scripts are disabled by default on App-V clients. To enable scripting, run the following PowerShell command:
Extension points in the Office App-V package require installation at the computer level.
+
When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages.
+
+
+
+
+
+
+### How to publish an Office package
+
+Run the following command to publish an Office package globally:
+
+- `Add-AppvClientPackage | Publish-AppvClientPackage –global`
+
+- From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
+
+## Customizing and managing Office App-V packages
+
+
+To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections.
+
+- [Enabling Office plug-ins by using connection groups](#bkmk-enable-office-plugins)
+
+- [Disabling Office 2016 applications](#bkmk-disable-office-apps)
+
+- [Disabling Office 2016 shortcuts](#bkmk-disable-shortcuts)
+
+- [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd)
+
+- [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd)
+
+- [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project)
+
+### Enabling Office plug-ins by using connection groups
+
+Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
+
+**To enable plug-ins for Office App-V packages**
+
+1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
+
+2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
+
+3. Create an App-V 5.1 package that includes the desired plug-ins.
+
+4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet.
+
+5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
+
+ **Important**
+ The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+
+
+
+6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
+
+7. Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2016 App-V package has.
+
+ Since the Office 2016 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published.
+
+8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
+
+9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
+
+10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2016 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
+
+11. After you successfully publish both packages and enable the Connection Group, start the target Office 2016 application and verify that the plug-in you published and added to the connection group works as expected.
+
+### Disabling Office 2016 applications
+
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+**Note**
+To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
+
+
+
+**To disable an Office 2016 application**
+
+1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
+
+2. Search for the Office application you want to disable, for example, Access 2016.
+
+3. Change the value of "Enabled" from "true" to "false."
+
+4. Save the Deployment Configuration File.
+
+5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
+
+ ``` syntax
+
+
+ Lync 2016
+
+
+
+
+
+
+ Access 2016
+
+
+
+
+ ```
+
+6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+
+### Disabling Office 2016 shortcuts
+
+You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
+
+**To disable shortcuts for Office 2016 applications**
+
+1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
+
+2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut.
+
+ ``` syntax
+ Shortcuts
+
+ -->
+
+
+
+
+ [{Common Programs}]\Microsoft Office 2016\Access 2016.lnk
+ [{AppvPackageRoot}])office15\MSACCESS.EXE
+ [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico
+
+
+ Microsoft.Office.MSACCESS.EXE.16
+ true
+ Build a professional app quickly to manage data.
+ l
+ [{AppVPackageRoot}]\officel6\MSACCESS.EXE
+
+ ```
+
+3. Save the Deployment Configuration File.
+
+4. Republish Office 2016 App-V Package with new Deployment Configuration File.
+
+Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+
+### Managing Office 2016 package upgrades
+
+To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the following steps.
+
+**How to upgrade a previously deployed Office 2016 package**
+
+1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+
+ **Note**
+ Office App-V packages have two Version IDs:
+
+ - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+
+ - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
+
+
+
+2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+
+### Managing Office 2016 licensing upgrades
+
+If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
+
+**How to upgrade an Office 2016 License**
+
+1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package.
+
+2. Remove the unpublished Office 2016 Subscription Licensing App-V package.
+
+3. Restart the computer.
+
+4. Add the new Office 2016 App-V Package Volume Licensing.
+
+5. Publish the added Office 2016 App-V Package with Volume Licensing.
+
+An Office 2016 App-V Package with your chosen licensing will be successfully deployed.
+
+### Deploying Visio 2016 and Project 2016 with Office
+
+The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office.
+
+
+
+
+
+
+
+
+
Task
+
Details
+
+
+
+
+
How do I package and publish Visio 2016 and Project 2016 with Office?
+
You must include Visio 2016 and Project 2016 in the same package with Office.
+
If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.
+
+
+
How can I deploy Visio 2016 and Project 2016 to specific users?
+
Use one of the following methods:
+
+
+
+
+
+
+
+
If you want to...
+
...then use this method
+
+
+
+
+
Create two different packages and deploy each one to a different group of users
+
Create and deploy the following packages:
+
+
A package that contains only Office - deploy to computers whose users need only Office.
+
A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.
+
+
+
+
If you want only one package for the whole organization, or if you have users who share computers:
+
Follows these steps:
+
+
Create a package that contains Office, Visio, and Project.
+
Deploy the package to all users.
+
Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.
+
+
+
+
+
+
+
+
+
+
+
+## Additional resources
+
+
+**Office 2016 App-V Packages Additional Resources**
+
+[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
+
+[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680)
+
+**Office 2013 and Office 2010 App-V Packages**
+
+[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md)
+
+[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md)
+
+**Connection Groups**
+
+[Deploying Connection Groups in Microsoft App-V v5](https://go.microsoft.com/fwlink/p/?LinkId=330683)
+
+[Managing Connection Groups](managing-connection-groups51.md)
+
+**Dynamic Configuration**
+
+[About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md)
+
+## Got a suggestion for App-V?
+
+
+Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 446346aa98..5794aa6c8a 100644
--- a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -11,8 +11,6 @@ ms.prod: w10
# How to Create a Connection Group with User-Published and Globally Published Packages
-
-
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
- [How to use PowerShell cmdlets to create the user-entitled connection groups](#bkmk-posh-userentitled-cg)
@@ -46,8 +44,7 @@ You can create user-entitled connection groups that contain both user-published
-
-**How to use PowerShell cmdlets to create user-entitled connection groups**
+**How to use PowerShell cmdlets to create user-entitled connection groups**
1. Add and publish packages by using the following commands:
@@ -67,7 +64,7 @@ You can create user-entitled connection groups that contain both user-published
**Enable-AppvClientConnectionGroup -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**
-**How to use the App-V Server to create user-entitled connection groups**
+**How to use the App-V Server to create user-entitled connection groups**
1. Open the App-V 5.0 Management Console.
diff --git a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
index e69999a07a..8f5736d581 100644
--- a/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md
@@ -45,9 +45,7 @@ You can create user-entitled connection groups that contain both user-published
-
-
-**How to use PowerShell cmdlets to create user-entitled connection groups**
+**How to use PowerShell cmdlets to create user-entitled connection groups**
1. Add and publish packages by using the following commands:
@@ -67,7 +65,7 @@ You can create user-entitled connection groups that contain both user-published
**Enable-AppvClientConnectionGroup -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**
-**How to use the App-V Server to create user-entitled connection groups**
+**How to use the App-V Server to create user-entitled connection groups**
1. Open the App-V 5.1 Management Console.
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
index 37f02d475b..e80df8bb75 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
@@ -15,7 +15,7 @@ ms.prod: w10
Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 client and Remote Desktop Services client. You must install the version of the client that matches the operating system of the target computer.
-**What to do before you start**
+**What to do before you start**
1. Review and install the software prerequisites:
@@ -143,8 +143,6 @@ Use the following procedure to install the Microsoft Application Virtualization
**Note**
The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter.
-
-
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
index 5210d0f706..a3e6644896 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
@@ -15,7 +15,7 @@ ms.prod: w10
Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.0 client and Remote Desktop Services client. You must install the version of the client that matches the operating system of the target computer.
-**What to do before you start**
+**What to do before you start**
1. Review and install the software prerequisites:
diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
index 766726e8e7..93a93b1da0 100644
--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
@@ -88,12 +88,12 @@ Review the following requirements for using the App-V PowerShell cmdlets:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admin-only-posh-topic-cg)
-
[How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)
+
[How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md)
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md#bkmk-admin-pub-pkg-only-posh)
+
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md)
@@ -105,8 +105,6 @@ Review the following requirements for using the App-V PowerShell cmdlets:
## Loading the PowerShell cmdlets
-
-
To load the PowerShell cmdlet modules:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
@@ -143,8 +141,6 @@ To load the PowerShell cmdlet modules:
## Getting help for the PowerShell cmdlets
-
-
Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
@@ -204,15 +200,13 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
## Displaying the help for a PowerShell cmdlet
-
-
To display help for a specific PowerShell cmdlet:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
2. Type **Get-Help** <*cmdlet*>, for example, **Get-Help Publish-AppvClientPackage**.
-**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue**? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
index f3bec5b881..239b07e16e 100644
--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
@@ -88,12 +88,12 @@ Review the following requirements for using the App-V PowerShell cmdlets:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md#bkmk-admin-only-posh-topic-cg)
-
[How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)
+
[How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md)
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md#bkmk-admin-pub-pkg-only-posh)
+
[How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md)
@@ -106,7 +106,6 @@ Review the following requirements for using the App-V PowerShell cmdlets:
## Loading the PowerShell cmdlets
-
To load the PowerShell cmdlet modules:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
@@ -140,11 +139,7 @@ To load the PowerShell cmdlet modules:
-
-
## Getting help for the PowerShell cmdlets
-
-
Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
@@ -201,11 +196,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
-
-
## Displaying the help for a PowerShell cmdlet
-
-
To display help for a specific PowerShell cmdlet:
1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
diff --git a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
index cc477758ac..780141e3d7 100644
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md
@@ -27,7 +27,7 @@ This topic explains the following procedures:
- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
-**To add and publish the App-V packages in the connection group**
+**To add and publish the App-V packages in the connection group**
1. To add and publish the App-V 5.0 packages to the computer running the App-V client, type the following command:
@@ -35,7 +35,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+**To add and enable the connection group on the App-V client**
1. Add the connection group by typing the following command:
@@ -47,7 +47,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+**To enable or disable a connection group for a specific user**
1. Review the parameter description and requirements:
@@ -88,9 +88,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+**To allow only administrators to enable connection groups**
1. Review the description and requirement for using this cmdlet:
@@ -126,8 +124,6 @@ This topic explains the following procedures:
-
-
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
diff --git a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
index 695e3e6d58..8c0e37ebc8 100644
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
@@ -27,7 +27,7 @@ This topic explains the following procedures:
- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
-**To add and publish the App-V packages in the connection group**
+*To add and publish the App-V packages in the connection group**
1. To add and publish the App-V 5.1 packages to the computer running the App-V client, type the following command:
@@ -35,7 +35,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+**To add and enable the connection group on the App-V client**
1. Add the connection group by typing the following command:
@@ -47,7 +47,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+**To enable or disable a connection group for a specific user**
1. Review the parameter description and requirements:
@@ -88,9 +88,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+**To allow only administrators to enable connection groups**
1. Review the description and requirement for using this cmdlet:
diff --git a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
index deb1811f39..0d98c22478 100644
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
@@ -31,7 +31,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+**Update an application in an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -46,8 +46,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
@@ -55,16 +53,12 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
**Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
+ You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
@@ -72,7 +66,7 @@ This topic explains how to:
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+**Modify the properties associated with an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -111,11 +105,9 @@ This topic explains how to:
**Note**
To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+**Add a new application to an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -130,8 +122,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
@@ -139,8 +129,6 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
9. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
@@ -154,8 +142,6 @@ This topic explains how to:
**Note**
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
@@ -166,7 +152,6 @@ This topic explains how to:
## Related topics
-
[Operations for App-V 5.1](operations-for-app-v-51.md)
diff --git a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
index bb5bf4b894..a1e697e16a 100644
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
@@ -31,7 +31,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+**Update an application in an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -46,8 +46,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
@@ -55,8 +53,6 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
@@ -64,15 +60,13 @@ This topic explains how to:
**Note**
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**.
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+**Modify the properties associated with an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -101,11 +95,9 @@ This topic explains how to:
**Note**
To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+**Add a new application to an existing virtual application package**
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -120,8 +112,6 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
@@ -129,8 +119,6 @@ This topic explains how to:
**Note**
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
9. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
@@ -144,8 +132,6 @@ This topic explains how to:
**Note**
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful for providing application versions and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. Click **Create**.
@@ -156,7 +142,6 @@ This topic explains how to:
## Related topics
-
[Operations for App-V 5.0](operations-for-app-v-50.md)
diff --git a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
index 7d9df908fd..13ae4fd9fb 100644
--- a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
@@ -30,7 +30,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
-**To open the Administration and Monitoring Website**
+**To open the Administration and Monitoring Website**
1. Open a web browser and navigate to the Administration and Monitoring Website. The default URL for the Administration and Monitoring Website is:
@@ -47,7 +47,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
-**To generate an Enterprise Compliance Report**
+**To generate an Enterprise Compliance Report**
1. From the Administration and Monitoring Website, select the **Reports** node from the left navigation pane, select **Enterprise Compliance Report**, and select the filters that you want to use. The available filters for the Enterprise Compliance Report are:
@@ -61,7 +61,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
4. Select the plus sign (+) next to the computer name to view information about the volumes on the computer.
-**To generate a Computer Compliance Report**
+**To generate a Computer Compliance Report**
1. From the Administration and Monitoring Website, select the **Report** node from the left navigation pane, and then select **Computer Compliance Report**. Use the Computer Compliance Report to search for **User name** or **Computer name**.
@@ -74,9 +74,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
**Note**
An MBAM client computer is considered compliant if the computer matches or exceeds the requirements of the MBAM Group Policy settings.
-
-
-**To generate a Recovery Key Audit Report**
+**To generate a Recovery Key Audit Report**
1. From the Administration and Monitoring Website, select the **Report** node in the left navigation pane, and then select **Recovery Audit Report**. Select the filters for your Recovery Key Audit Report. The available filters for recovery key audits are as follows:
diff --git a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
index 609ec18b52..e1b330088f 100644
--- a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
@@ -11,19 +11,11 @@ ms.prod: w10
# How to Recover a Moved Drive
-
-
This topic explains how to use the Administration and Monitoring Website (also referred to as the Help Desk) to recover an operating system drive that was moved after being encrypted by Microsoft BitLocker Administration and Monitoring (MBAM). When a drive is moved, it no longer accepts the PIN that was used in the previous computer because the Trusted Platform Module (TPM) chip has changed. To recover the moved drive, you must obtain the recovery key ID to retrieve the recovery password.
To recover a moved drive, you must use the **Drive Recovery** area of the Administration and Monitoring Website. To access the **Drive Recovery** area, you must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role. For more information about these roles, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md#bkmk-helpdesk-roles).
-**Note**
-You may have given these roles different names when you created them. For more information, see [Access accounts for the Administration and Monitoring Website (Help Desk)](#bkmk-helpdesk-roles).
-
-
-
**To recover a moved drive**
-
1. On the computer that contains the moved drive, start the computer in Windows Recovery Environment (WinRE) mode, or start the computer by using the Microsoft Diagnostic and Recovery Toolset (DaRT).
2. After the computer has been started with WinRE or DaRT, MBAM will treat the moved operating system drive as a fixed data drive. MBAM will then display the drive’s recovery password ID and ask for the recovery password.
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index bae880c439..38cf7a85aa 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -283,16 +283,21 @@ MBAM supports the following versions of Configuration Manager.
-
Microsoft System Center 2012 R2 Configuration Manager
+
Microsoft System Center Configuration Manager (Current Branch), version 1606
64-bit
+
Microsoft System Center 2012 R2 Configuration Manager
+
+
64-bit
+
+
Microsoft System Center 2012 Configuration Manager
SP1
64-bit
-
+
Microsoft System Center Configuration Manager 2007 R2 or later
SP1 or later
64-bit
diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
index 3fcb31c12e..7779461ff4 100644
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@@ -72,8 +72,7 @@ Before you install the MBAM Client software on end users' computers, ensure that
**Important**
-If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM cannot take ownership of TPM if the client PC is already encrypted and the TPM owner password created.
-
+If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
## Got a suggestion for MBAM?
diff --git a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
index 41833fc753..a10a065f72 100644
--- a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
+++ b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
@@ -66,7 +66,7 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
At a Windows PowerShell command prompt, type Get-Help <cmdlet>
-
To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md#bkmk-loadposhhelp)
+
To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
On TechNet as webpages
diff --git a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
index c4a9a942e4..548d28f073 100644
--- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
@@ -51,7 +51,7 @@ Follow these steps to configure your MED-V image for running first time setup:
After you have completed customization of your MED-V image, you are ready to seal the image by using Sysprep.
-**Sealing the MED-V Image by Using Sysprep**
+**Sealing the MED-V Image by Using Sysprep**
1. The System Preparation tool (Sysprep) is a technology that you can use to perform image-based installations throughout the network with minimal intervention by an administrator or IT-Professional.
diff --git a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
index 544141d6d3..51bf199255 100644
--- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
@@ -29,7 +29,7 @@ You can add and remove URL redirection information by performing one of the foll
- [Edit the URL Redirection Text File and Rebuild the MED-V Workspace](#bkmk-edittext)
-**To update URL Redirection information by using Group Policy**
+**To update URL Redirection information by using Group Policy**
1. Edit the registry key multi-string value that is named `RedirectUrls`. This value is typically located at:
@@ -44,7 +44,7 @@ This method of editing URL redirection information is a MED-V best practice.
-**To rebuild the MED-V workspace by using an updated URL text file**
+**To rebuild the MED-V workspace by using an updated URL text file**
- Another method of adding and removing URLs from the redirection list is to update the URL redirection text file and then use it to build a new MED-V workspace. You can then redeploy the MED-V workspace as before, by using your standard process of deployment, such as an ESD system.
diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 171a89953e..202fcf0954 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -47,21 +47,15 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
3. **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).
**Warning**
- Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
-
-
+ Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
4. **MED-V Workspace Installer, VHD, and Setup Executable** – created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
**Important**
The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
-
-
**Tip**
- Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
-
-
+ Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
3. Configure the packages to run in silent mode (no user interaction is required).
@@ -70,15 +64,11 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
**Note**
Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [To install the MED-V components by using a batch file](#bkmk-batch). MED-V automatically starts when the computer is restarted.
-
-
4. Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
**Important**
Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
-
-
5. Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
6. Assign the packages to the target set of computers/users.
@@ -91,7 +81,7 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
First time setup starts and might take several minutes to finish, depending on the size of the virtual hard disk that you specified and the number of policies applied to the MED-V workspace on startup. The end user can track the progress by watching the MED-V icon in the notification area. For more information about first time setup, see [MED-V 2.0 Deployment Overview](med-v-20-deployment-overview.md).
-**To install the MED-V components by using a batch file**
+**To install the MED-V components by using a batch file**
1. Run the installation at a command prompt with administrative credentials.
diff --git a/mdop/medv-v2/how-to-test-application-publishing.md b/mdop/medv-v2/how-to-test-application-publishing.md
index ad7c458632..7791f99e06 100644
--- a/mdop/medv-v2/how-to-test-application-publishing.md
+++ b/mdop/medv-v2/how-to-test-application-publishing.md
@@ -15,7 +15,7 @@ ms.prod: w7
After your test of first time setup finishes, you can verify that the application publishing functionality is working as expected by performing the following tasks.
-**To test application publishing**
+**To test application publishing**
1. Verify that the applications that you specified for publishing are visible.
@@ -34,8 +34,6 @@ After your test of first time setup finishes, you can verify that the applicatio
**Important**
Because Windows Virtual PC does not support creating a share from a folder that is already shared, redirection does not occur for any documents that open from a shared folder, such as a My Documents folder that is located on the network. For more information, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have verified that published applications are installed and functioning correctly, you can test whether applications can be added or removed from the MED-V workspace.
**To test that an application can be added or removed**
@@ -51,15 +49,12 @@ After you have verified that published applications are installed and functionin
**Note**
If you encounter any problems when verifying your application publication settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have completed testing application publishing, you can test other MED-V workspace configurations to verify that they function as intended.
After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.
## Related topics
-
[How to Test URL Redirection](how-to-test-url-redirection.md)
[How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
diff --git a/mdop/medv-v2/how-to-test-url-redirection.md b/mdop/medv-v2/how-to-test-url-redirection.md
index 292c86b05c..21781c9cab 100644
--- a/mdop/medv-v2/how-to-test-url-redirection.md
+++ b/mdop/medv-v2/how-to-test-url-redirection.md
@@ -18,9 +18,7 @@ After your test of first time setup finishes, you can verify that the URL redire
**Important**
The MED-V Host Agent must be running for URL redirection to function correctly.
-
-
-**To test URL Redirection**
+**To test URL Redirection**
1. Open an Internet Explorer browser in the host computer and enter a URL that you specified for redirection.
@@ -45,20 +43,15 @@ The MED-V Host Agent must be running for URL redirection to function correctly.
**Note**
It can take several seconds for the URL redirection changes to take place.
-
-
**Note**
If you encounter any problems when verifying your URL redirection settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
-
-
After you have completed testing URL redirection in your MED-V workspace, you can test other configurations to verify that they function as intended.
After you have completed testing your MED-V workspace package and have verified that it is functioning as intended, you can deploy the MED-V workspace to your enterprise.
## Related topics
-
[How to Test Application Publishing](how-to-test-application-publishing.md)
[How to Verify First Time Setup Settings](how-to-verify-first-time-setup-settings.md)
diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
index 036cada1cc..cecf6f4ceb 100644
--- a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
+++ b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
@@ -103,9 +103,7 @@ It might be necessary to change the PowerShell execution policy to allow these s
2. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
-
-
-**Create the First UE-V Policy Configuration Item**
+**Create the First UE-V Policy Configuration Item**
1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:
@@ -173,8 +171,6 @@ It might be necessary to change the PowerShell execution policy to allow these s
3. Reimport the CAB file. The version in ConfigMgr will be updated.
## Generate a UE-V Template Baseline
-
-
UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.
The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters:
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index a97b55540e..886b343e52 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a
-**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
+**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things:
- [Decide whether to synchronize settings for custom applications](#deciding)
diff --git a/smb/TOC.md b/smb/TOC.md
new file mode 100644
index 0000000000..4c2433fafc
--- /dev/null
+++ b/smb/TOC.md
@@ -0,0 +1 @@
+# [SMB](index.md)
diff --git a/smb/docfx.json b/smb/docfx.json
new file mode 100644
index 0000000000..033a3552a9
--- /dev/null
+++ b/smb/docfx.json
@@ -0,0 +1,35 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "smb/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "smb/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "smb"
+ }
+}
\ No newline at end of file
diff --git a/smb/index.md b/smb/index.md
new file mode 100644
index 0000000000..eaeb8132cd
--- /dev/null
+++ b/smb/index.md
@@ -0,0 +1,4 @@
+---
+title: SMB placeholder
+description: SMB placeholder
+---
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index 82c95ff35b..f96e6edda3 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -68,13 +68,13 @@ You must be a member of the local Administrators group on all computers mentione
6. Enter your KMS host key and (optionally) a display name (Figure 14).
- 
+ 
**Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15).
- 
+ 
**Figure 15**. Choosing how to activate your product
diff --git a/windows/deploy/introduction-vamt.md b/windows/deploy/introduction-vamt.md
index 3d51c0dd02..133b8e6966 100644
--- a/windows/deploy/introduction-vamt.md
+++ b/windows/deploy/introduction-vamt.md
@@ -22,18 +22,18 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
- [Enterprise Environment](#bkmk-enterpriseenvironment)
- [VAMT User Interface](#bkmk-userinterface)
-## Managing Multiple Activation Key (MAK) and Retail Activation
+## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-## Managing Key Management Service (KMS) Activation
+## Managing Key Management Service (KMS) Activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-## Enterprise Environment
+## Enterprise Environment
VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
@@ -42,7 +42,7 @@ VAMT is commonly implemented in enterprise environments. The following illustrat
In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
-## VAMT User Interface
+## VAMT User Interface
The following screenshot shows the VAMT graphical user interface.
diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md
index 825197e1b6..b49144c4ca 100644
--- a/windows/deploy/resolve-windows-10-upgrade-errors.md
+++ b/windows/deploy/resolve-windows-10-upgrade-errors.md
@@ -16,13 +16,11 @@ localizationpriority: high
**Applies to**
- Windows 10
-This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
-
-If you are not an IT administrator, you can try the [quick fixes](#quick-fixes) listed in this topic. If the quick fixes do not resolve your issue, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
+>**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information.
## In this topic
-The following sections and procedures are provided in this guide:
+This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. The following sections and procedures are provided in this guide:
- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.
- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.
@@ -33,7 +31,7 @@ The following sections and procedures are provided in this guide:
- [Log entry structure](#log-entry-structure): The format of a log entry is described.
- [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example.
- [Resolution procedures](#resolution-procedures): Causes and mitigation procedures associated with specific error codes.
- - [0xC1900101](#0xC1900101): Information about the 0xC1900101 result code.
+ - [0xC1900101](#0xc1900101): Information about the 0xC1900101 result code.
- [0x800xxxxx](#0x800xxxxx): Information about result codes that start with 0x800.
- [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes.
- [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
@@ -866,7 +864,7 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
[Analyze log files](#analyze-log-files) to determine the issue.
0xC1900101 - 0x4001E
Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation.
-
This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xC1900101) section of this guide and review general troubleshooting procedures described in that section.
+
This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section.
0x80070005 - 0x4000D
The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data.
[Analyze log files](#analyze-log-files) to determine the data point that is reporting access denied.
diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
index 1d08d1f5cb..8aaa283d61 100644
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@@ -97,9 +97,12 @@ The compatibility update KB scans your computers and enables application usage t
IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
+If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.
+
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
-| [Review site discovery](upgrade-analytics-review-site-discovery.md) | Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
+| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149) Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. For more information about this KB, see
Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
+
### Automate data collection
diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md
index 078290d9b3..6a61a18a33 100644
--- a/windows/deploy/upgrade-analytics-resolve-issues.md
+++ b/windows/deploy/upgrade-analytics-resolve-issues.md
@@ -18,7 +18,7 @@ Upgrade decisions include:
| Not reviewed | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress.**
| Some applications are automatically assigned upgrade decisions based on information known to Microsoft.
All drivers are marked not reviewed by default.
|
| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.
Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.
| Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**. |
| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues or with low installation rates are marked **Ready to upgrade** by default.
Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
All drivers are marked **Not reviewed** by default. |
-| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for computers you don’t want to upgrade. | If, during your investigation into an application or driver, you determine that they should not be upgraded, mark them **Won’t upgrade**.
|
+| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.
Use **Won’t upgrade** for applications and drivers you don’t want to upgrade. | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.
|
The blades in the **Resolve issues** section are:
diff --git a/windows/deploy/usmt-exclude-files-and-settings.md b/windows/deploy/usmt-exclude-files-and-settings.md
index e856679334..975f11e54a 100644
--- a/windows/deploy/usmt-exclude-files-and-settings.md
+++ b/windows/deploy/usmt-exclude-files-and-settings.md
@@ -32,7 +32,7 @@ If you specify an <exclude> rule, always specify a corresponding <inclu
- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
-- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-c-data-except-files-in-c-data-tmp)
+- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
@@ -246,7 +246,7 @@ The following .xml file unconditionally excludes the system folders of `C:\Windo
```
-## Create a Config.xml File
+## Create a Config XML File
You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the <Applications> section of the Config.xml file.
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 9356e2c31c..0c5b8ff890 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -19,11 +19,11 @@ author: greg-lindsay
This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
->**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported.
+>**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported. (Note that Windows 10 LTSB 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.)
>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
->**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#Free-upgrade-paths).
+>**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#free-upgrade-paths).
✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed.
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 0143dc9421..eaedfbf278 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -682,6 +682,18 @@
###### [Shut down the system](shut-down-the-system.md)
###### [Synchronize directory service data](synchronize-directory-service-data.md)
###### [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
+### [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
+#### [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+##### [Smart Card Architecture](smart-card-architecture.md)
+##### [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+##### [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+##### [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+##### [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+##### [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+#### [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+##### [Smart Cards Debugging Information](smart-card-debugging-information.md)
+##### [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+##### [Smart Card Events](smart-card-events.md)
### [Trusted Platform Module](trusted-platform-module-overview.md)
#### [TPM fundamentals](tpm-fundamentals.md)
#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
@@ -697,6 +709,13 @@
#### [How User Account Control works](how-user-account-control-works.md)
#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md)
+### [Virtual Smart Cards](virtual-smart-card-overview.md)
+#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+##### [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+##### [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+##### [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+#### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
index 69108c1fcc..d03cb6cbe3 100644
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -37,7 +37,7 @@ In this topic:
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group
diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
index 11b782d3f8..84cdd96dc6 100644
--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -25,11 +25,11 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
-- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups)
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
-- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add test devices to the GPO membership groups
diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md
index 14ecaca52f..dd4bf9d8d5 100644
--- a/windows/keep-secure/advanced-security-audit-policy-settings.md
+++ b/windows/keep-secure/advanced-security-audit-policy-settings.md
@@ -27,7 +27,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
-**Account Logon**
+## Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
@@ -36,7 +36,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
-**Account Management**
+## Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
@@ -47,7 +47,7 @@ The security audit policy settings in this category can be used to monitor chang
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
-**Detailed Tracking**
+## Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
@@ -57,7 +57,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
-**DS Access**
+## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
@@ -66,7 +66,7 @@ DS Access security audit policy settings provide a detailed audit trail of attem
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
-**Logon/Logoff**
+## Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
@@ -82,11 +82,11 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
-**Object Access**
+## Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
+Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
This category includes the following subcategories:
@@ -105,7 +105,7 @@ This category includes the following subcategories:
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
-**Policy Change**
+## Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
@@ -116,7 +116,7 @@ Policy Change audit events allow you to track changes to important security poli
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-**Privilege Use**
+## Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
@@ -124,7 +124,7 @@ Permissions on a network are granted for users or computers to complete defined
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
-**System**
+## System
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
@@ -134,7 +134,7 @@ System security policy settings and audit events allow you to track system-level
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
-**Global Object Access**
+## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
index 09000d467d..3a4746998e 100644
--- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ Highlighted area|Area name|Description
:---|:---|:---
(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
(2)|Alerts|Each alert shows:
The severity of an alert as a colored bar
A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)
The last occurrence of the alert on any machine
The number of days the alert has been in the queue
The severity of the alert
The general category or type of alert, or the alert's kill-chain stage
The affected machine (if there are multiple machines, the number of affected machines will be shown)
A **Manage Alert** menu icon  that allows you to update the alert's status and add comments
Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
-(3)|Alerts sorting and filters | You can sort alerts by:
**Newest** (when the threat was last seen on your network)
**Time in queue** (how long the threat has been in your queue)
**Severity**
You can also filter the displayed alerts by:
Severity
Time period
See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
+(3)|Alerts sorting and filters | You can sort alerts by:
**Newest** (when the threat was last seen on your network)
**Time in queue** (how long the threat has been in your queue)
**Severity**
You can also filter the displayed alerts by:
Severity
Time period
See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details.
##Sort and filter the Alerts queue
You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
index 0beb5a8932..3f72f93ba5 100644
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -117,7 +117,7 @@ When you need to recover the TPM owner information from AD DS and use it to man
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
-2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
+2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md
index c329ed5d14..6e3ae93c32 100644
--- a/windows/keep-secure/bitlocker-frequently-asked-questions.md
+++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md
@@ -319,7 +319,7 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
## Security
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index ec6211f5b0..759d44b4af 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,16 +12,23 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## November 2016
+| New or changed topic | Description |
+| --- | --- |
+|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md), [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md), and [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Added additional details about what happens when you turn off WIP. |
+|[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) |Changed WIPModeID to EDPModeID, to match the CSP. |
+
+
## October 2016
| New or changed topic | Description |
| --- | --- |
|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
-|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
|[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
-| [Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
+|[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
## September 2016
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 731d00b2c5..59f309b4ab 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -67,7 +67,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
4. Click **Policies**, then **Administrative templates**.
-5. Click **Windows components** and then **Windows Advanced Threat Protection**.
+5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your endpoints.
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 5aaa60e929..c24886d168 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -28,14 +28,17 @@ The embedded Windows Defender ATP sensor runs in system context using the LocalS
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
-- Configure the proxy server manually using a static proxy
+ - Auto-discovery methods:
+ - Transparent proxy
+ - Web Proxy Auto-discovery Protocol (WPAD)
- - Auto-discovery methods:
- - Transparent proxy
+> [!NOTE]
+> If you're using Transparent proxy or WPAD in your network topology, you don't need special endpoint configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
- - Manual static proxy configuration
- - WinHTTP configured using netsh command
- - Registry based configuration
+
+ - Manual static proxy configuration:
+ - WinHTTP configured using netsh command
+ - Registry based configuration
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
@@ -77,12 +80,9 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Primary Domain Controller | .Microsoft.com DNS record
:---|:---
- Central US | winatp-gw-cus.microsoft.com us.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
- East US (2)| winatp-gw-eus.microsoft.com us.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
- West Europe | winatp-gw-weu.microsoft.com eu.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
- North Europe | winatp-gw-neu.microsoft.com eu.vortex-win.data.microsoft.com crl.microsoft.com *.blob.core.windows.net
+ US |```*.blob.core.windows.net``` ```crl.microsoft.com``` ```us.vortex-win.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com```
+Europe |```*.blob.core.windows.net``` ```crl.microsoft.com``` ```eu.vortex-win.data.microsoft.com``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com```
-
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
If you selected US as your region, you should permit anonymous traffic for URLs listed in both Central US and East US (2).
diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
index 339d6b3da3..45ed365fe2 100644
--- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
@@ -30,7 +30,7 @@ Follow these steps to create the VPN policy you want to use with WIP.
-3. Type *WIPModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
+3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box.
@@ -69,7 +69,7 @@ The added people move to the **Selected Groups** list on the right-hand pane.
The policy is deployed to the selected users' devices.
## Link your WIP and VPN policies and deploy the custom configuration policy
-The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
+The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
**To link your VPN policy**
@@ -83,19 +83,19 @@ The final step to making your VPN configuration work with WIP, is to link your t
-4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info.
+4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info.
5. In the **OMA-URI Settings** area, type the following info:
- - **Setting name.** Type **WIPModeID** as the name.
+ - **Setting name.** Type **EDPModeID** as the name.
- **Data type.** Pick the **String** data type.
- - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//WIPModeId`, replacing *<your\_wip\_policy\_name>* with the name you gave to your WIP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/WIPModeId`.
+ - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EDPModeId`, replacing <*VPNProfileName*> with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
- 
+ 
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index e3e8483484..44bf2930a2 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -160,7 +160,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
All fields left as “*”
-
All files signed by any publisher. (Not recommended.)
+
All files signed by any publisher. (Not recommended)
Publisher selected
@@ -329,7 +329,7 @@ We recommend that you start with **Silent** or **Override** while verifying with
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 031da1a038..468b8308d4 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -80,7 +80,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
@@ -164,7 +164,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
@@ -304,7 +304,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
- Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
@@ -349,7 +349,7 @@ We recommend that you start with **Silent** or **Override** while verifying with
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 5e20aa7fff..ce40f1c03f 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -48,7 +48,8 @@ The following tables provide more information about the hardware, firmware, and
> [!NOTE]
> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
-> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
+> Starting in Widows 10, 1607, TPM 2.0 is required.
## Credential Guard requirements for baseline protections
@@ -57,11 +58,9 @@ The following tables provide more information about the hardware, firmware, and
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
| Hardware: **CPU virtualization extensions**, plus **extended page tables** | **Requirements**: These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
@@ -75,7 +74,9 @@ The following tables describes additional hardware and firmware requirements, an
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
+| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
| Firmware: **Securing Boot Configuration and Management** | **Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**: - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access. - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
@@ -92,7 +93,7 @@ The following tables describes additional hardware and firmware requirements, an
-### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017)
+### 2017 Additional Qualification Requirements for Credential Guard (starting with the next major release of Windows 10)
| Protection for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
@@ -101,7 +102,7 @@ The following tables describes additional hardware and firmware requirements, an
## Manage Credential Guard
### Enable Credential Guard
-Credential Guard can be enabled by using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
+Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
#### Turn on Credential Guard by using Group Policy
@@ -124,9 +125,9 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
##### Add the virtualization-based security features
-Starting with Windows 10 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
-If you are using Windows 10 1507 (RTM) or Windows 10 1511, Windows features have to be enabled to use virtualization-based security.
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
@@ -171,6 +172,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
> [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index 8192f42f7f..112382f305 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ This tile shows you a list of machines with the highest number of active alerts.
-Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
+Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index e3df30dc93..91bec22e77 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -30,4 +30,4 @@ Windows Defender will continue to receive updates, and the *mspeng.exe* process
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
-For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
index 2a41a2d649..ba8e5d4999 100644
--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -74,9 +74,9 @@ When finished, the files will be saved to your desktop. You can double-click the
To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers.
-For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe).
-For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
## Catalog signing with SignTool.exe
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index fe1db32b1d..9f7be87cbb 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -20,7 +20,7 @@ Hardware-based security features, also called virtualization-based security or V
2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
-3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic.
@@ -46,7 +46,7 @@ After you enable the feature or features, you can enable VBS for Device Guard, a
## Enable Virtualization Based Security (VBS) and Device Guard
-Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
+Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
There are multiple ways to configure VBS features for Device Guard:
diff --git a/windows/keep-secure/event-4713.md b/windows/keep-secure/event-4713.md
index 482ad0768e..c35ede099f 100644
--- a/windows/keep-secure/event-4713.md
+++ b/windows/keep-secure/event-4713.md
@@ -21,7 +21,7 @@ author: Mir0sh
***Event Description:***
-This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed.
+This event generates when [Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747.aspx) policy was changed.
This event is generated only on domain controllers.
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index cdde9f9522..2c68fb6704 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -82,7 +82,7 @@ This URL will match that seen in the Firewall or network activity.
Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.
Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL.
-
Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).
+
Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).
6
@@ -145,13 +145,13 @@ It may take several hours for the endpoint to appear in the portal.
Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.
Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL.
-
Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).
+
Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).
17
Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.
An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.
-
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
32
@@ -237,7 +237,7 @@ If the identifier does not persist, the same machine might appear twice in the p
34
Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.
An error occurred with the Windows telemetry service.
-
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
+
[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
diff --git a/windows/keep-secure/images/intune-vpn-omaurisettings.png b/windows/keep-secure/images/intune-vpn-omaurisettings.png
index c7016e13c4..66415d57fd 100644
Binary files a/windows/keep-secure/images/intune-vpn-omaurisettings.png and b/windows/keep-secure/images/intune-vpn-omaurisettings.png differ
diff --git a/windows/keep-secure/images/intune-vpn-wipmodeid.png b/windows/keep-secure/images/intune-vpn-wipmodeid.png
index 6c45fd0a25..19892b3a7c 100644
Binary files a/windows/keep-secure/images/intune-vpn-wipmodeid.png and b/windows/keep-secure/images/intune-vpn-wipmodeid.png differ
diff --git a/windows/keep-secure/images/remote-credential-guard-gp.png b/windows/keep-secure/images/remote-credential-guard-gp.png
index 98c97825fa..a65253b04e 100644
Binary files a/windows/keep-secure/images/remote-credential-guard-gp.png and b/windows/keep-secure/images/remote-credential-guard-gp.png differ
diff --git a/windows/keep-secure/images/sc-image101.png b/windows/keep-secure/images/sc-image101.png
new file mode 100644
index 0000000000..d0c7a632b5
Binary files /dev/null and b/windows/keep-secure/images/sc-image101.png differ
diff --git a/windows/keep-secure/images/sc-image201.gif b/windows/keep-secure/images/sc-image201.gif
new file mode 100644
index 0000000000..226a747881
Binary files /dev/null and b/windows/keep-secure/images/sc-image201.gif differ
diff --git a/windows/keep-secure/images/sc-image203.gif b/windows/keep-secure/images/sc-image203.gif
new file mode 100644
index 0000000000..de2a310572
Binary files /dev/null and b/windows/keep-secure/images/sc-image203.gif differ
diff --git a/windows/keep-secure/images/sc-image205.png b/windows/keep-secure/images/sc-image205.png
new file mode 100644
index 0000000000..69b536054c
Binary files /dev/null and b/windows/keep-secure/images/sc-image205.png differ
diff --git a/windows/keep-secure/images/sc-image206.gif b/windows/keep-secure/images/sc-image206.gif
new file mode 100644
index 0000000000..07e187cfaa
Binary files /dev/null and b/windows/keep-secure/images/sc-image206.gif differ
diff --git a/windows/keep-secure/images/sc-image302.gif b/windows/keep-secure/images/sc-image302.gif
new file mode 100644
index 0000000000..346db734db
Binary files /dev/null and b/windows/keep-secure/images/sc-image302.gif differ
diff --git a/windows/keep-secure/images/sc-image402.png b/windows/keep-secure/images/sc-image402.png
new file mode 100644
index 0000000000..ec97224017
Binary files /dev/null and b/windows/keep-secure/images/sc-image402.png differ
diff --git a/windows/keep-secure/images/sc-image403.png b/windows/keep-secure/images/sc-image403.png
new file mode 100644
index 0000000000..22965326bc
Binary files /dev/null and b/windows/keep-secure/images/sc-image403.png differ
diff --git a/windows/keep-secure/images/sc-image404.png b/windows/keep-secure/images/sc-image404.png
new file mode 100644
index 0000000000..2bb988a668
Binary files /dev/null and b/windows/keep-secure/images/sc-image404.png differ
diff --git a/windows/keep-secure/images/sc-image405.png b/windows/keep-secure/images/sc-image405.png
new file mode 100644
index 0000000000..99e7a7b21a
Binary files /dev/null and b/windows/keep-secure/images/sc-image405.png differ
diff --git a/windows/keep-secure/images/sc-image406.png b/windows/keep-secure/images/sc-image406.png
new file mode 100644
index 0000000000..8eb3c3c630
Binary files /dev/null and b/windows/keep-secure/images/sc-image406.png differ
diff --git a/windows/keep-secure/images/sc-image407.png b/windows/keep-secure/images/sc-image407.png
new file mode 100644
index 0000000000..47ceb8f10a
Binary files /dev/null and b/windows/keep-secure/images/sc-image407.png differ
diff --git a/windows/keep-secure/images/sc-image501.gif b/windows/keep-secure/images/sc-image501.gif
new file mode 100644
index 0000000000..b1463b5d14
Binary files /dev/null and b/windows/keep-secure/images/sc-image501.gif differ
diff --git a/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png b/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png
new file mode 100644
index 0000000000..2d626ecf94
Binary files /dev/null and b/windows/keep-secure/images/vsc-02-mmc-add-snap-in.png differ
diff --git a/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png b/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png
new file mode 100644
index 0000000000..e5c40ce136
Binary files /dev/null and b/windows/keep-secure/images/vsc-03-add-certificate-templates-snap-in.png differ
diff --git a/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png b/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png
new file mode 100644
index 0000000000..b6fa6b75ba
Binary files /dev/null and b/windows/keep-secure/images/vsc-04-right-click-smartcard-logon-template.png differ
diff --git a/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png b/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png
new file mode 100644
index 0000000000..110fb05099
Binary files /dev/null and b/windows/keep-secure/images/vsc-05-certificate-template-compatibility.png differ
diff --git a/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png b/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png
new file mode 100644
index 0000000000..f770d2f259
Binary files /dev/null and b/windows/keep-secure/images/vsc-06-add-certification-authority-snap-in.png differ
diff --git a/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png b/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png
new file mode 100644
index 0000000000..893abc8f34
Binary files /dev/null and b/windows/keep-secure/images/vsc-07-right-click-certificate-templates.png differ
diff --git a/windows/keep-secure/images/vsc-08-enable-certificate-template.png b/windows/keep-secure/images/vsc-08-enable-certificate-template.png
new file mode 100644
index 0000000000..f060ca7e3e
Binary files /dev/null and b/windows/keep-secure/images/vsc-08-enable-certificate-template.png differ
diff --git a/windows/keep-secure/images/vsc-09-stop-service-start-service.png b/windows/keep-secure/images/vsc-09-stop-service-start-service.png
new file mode 100644
index 0000000000..4f3a65766f
Binary files /dev/null and b/windows/keep-secure/images/vsc-09-stop-service-start-service.png differ
diff --git a/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png b/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png
new file mode 100644
index 0000000000..b9a6538540
Binary files /dev/null and b/windows/keep-secure/images/vsc-10-cmd-run-as-administrator.png differ
diff --git a/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png b/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png
new file mode 100644
index 0000000000..4eeba26de7
Binary files /dev/null and b/windows/keep-secure/images/vsc-11-certificates-request-new-certificate.png differ
diff --git a/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png b/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png
new file mode 100644
index 0000000000..b8fb5e9635
Binary files /dev/null and b/windows/keep-secure/images/vsc-12-certificate-enrollment-select-certificate.png differ
diff --git a/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png b/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png
new file mode 100644
index 0000000000..17357828f0
Binary files /dev/null and b/windows/keep-secure/images/vsc-physical-smart-card-lifecycle.png differ
diff --git a/windows/keep-secure/images/vsc-process-of-accessing-user-key.png b/windows/keep-secure/images/vsc-process-of-accessing-user-key.png
new file mode 100644
index 0000000000..29682f1cd0
Binary files /dev/null and b/windows/keep-secure/images/vsc-process-of-accessing-user-key.png differ
diff --git a/windows/keep-secure/images/vsc-virtual-smart-card-icon.png b/windows/keep-secure/images/vsc-virtual-smart-card-icon.png
new file mode 100644
index 0000000000..4614d7684b
Binary files /dev/null and b/windows/keep-secure/images/vsc-virtual-smart-card-icon.png differ
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index d56e60b02a..ee6e108018 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -131,7 +131,7 @@ The following table lists the Group Policy settings that you can configure for H
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 8670def085..cc8625adb9 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -40,7 +40,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.
- >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
+ >**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
>**Note:** If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
@@ -57,7 +57,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p
**To set ownership of the TPM**
-1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
+1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
3. In the **Save your TPM owner password** dialog box, click **Save the password**.
4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index 51e68f1fee..5d547bd269 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -122,7 +122,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
a. Change the following registry entry and values to change the policy on specific endpoints:
```
-HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
+HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index fb34c03d1f..eec0ada5a4 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -69,7 +69,7 @@ The threat category filter lets you filter the view by the following categories:
- Threat
- Low severity
-For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
+For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#machines-with-active-malware-detections).
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
@@ -81,7 +81,7 @@ Investigate the details of an alert raised on a specific machine to identify oth
You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:
-- The [Machines view](#Investigate-machines-in-the-Windows-Defender-ATP-Machines-view)
+- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
- The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- Any individual alert
@@ -104,7 +104,7 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
+You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-spotlight) feature to see the correlation between alerts and events on a specific machine.
diff --git a/windows/keep-secure/isolating-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md
index c8adf77620..9743da28c0 100644
--- a/windows/keep-secure/isolating-apps-on-your-network.md
+++ b/windows/keep-secure/isolating-apps-on-your-network.md
@@ -44,7 +44,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- [Prerequisites](#prerequisites)
-- [Step 1: Define your network](#step-1-Define-your-network)
+- [Step 1: Define your network](#step-1-define-your-network)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md
index 3e94ade971..3e50de5cc8 100644
--- a/windows/keep-secure/local-accounts.md
+++ b/windows/keep-secure/local-accounts.md
@@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows
In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
-In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**.
**Account group membership**
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 8fa747d356..0fd2edc0d3 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -108,7 +108,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
## Windows Defender signature updates are configured
The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
+When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index 44ee846cb2..dc661d0dbd 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -128,10 +128,10 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.
**Note** For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
+|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.
**Note** For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, reverting to where you were pre-WIP, with no data loss. However, turning off WIP isn't recommended. If you choose to turn it off, you can always turn it back on, but WIP won't retain your decryption and policies info.
+You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
## Next steps
After deciding to use WIP in your enterprise, you need to:
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 0ebb719b2e..a432c98385 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -123,7 +123,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
- Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Microsoft Passport, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+ Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation.
@@ -499,7 +499,7 @@ The AIK is an asymmetric (public/private) key pair that is used as a substitute
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft
Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
-Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Microsoft Passport without TPM.
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
diff --git a/windows/keep-secure/remote-credential-guard.md b/windows/keep-secure/remote-credential-guard.md
index 2a813caee1..a8f2f46557 100644
--- a/windows/keep-secure/remote-credential-guard.md
+++ b/windows/keep-secure/remote-credential-guard.md
@@ -21,10 +21,30 @@ You can use Remote Credential Guard in the following ways:
- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
-Use the following diagrams to help understand how Remote Credential Guard works and what it helps protect against.
+## Comparing Remote Credential Guard with a server protected with Credential Guard
+
+Use the following diagrams to help understand how Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
+## Comparing Remote Credential Guard with other options for Remote Desktop connections
+
+Use the following table to compare different security options for Remote Desktop connections.
+
+> [!NOTE]
+> This table compares different options than are shown in the previous diagram.
+
+| Remote Desktop with Credential Delegation | Remote Credential Guard | Restricted Admin mode |
+|---|---|---|
+| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
+| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
+| NA | Helps prevent:
- **Pass the Hash** - Usage of a **credential after disconnection** | Prevents:
- **Pass the Hash** - Usage of **domain identity during connection** |
+| Credentials supported from the remote desktop client device:
- **Signed on** credentials - **Supplied** credentials - **Saved** credentials | Credentials supported from the remote desktop client device:
- **Signed on** credentials only | Credentials supported from the remote desktop client device:
- **Signed on** credentials - **Supplied** credentials - **Saved** credentials |
+| Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Users allowed**, that is, members of remote desktop users group of remote host. | Access: **Administrators only**, that is, only members in administrators group of remote host. |
+| Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as signed on user**. | Network identity: Remote desktop session **connects to other resources as remote host’s identity**. |
+| Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | Multi-hop: From the remote desktop, you **can connect through Remote Desktop to another computer**. | No multi-hop: From the remote desktop, you **cannot connect through Remote Desktop to another computer**. |
+| Supported authentication protocol: **Any negotiable protocol**. | Supported authentication protocol: **Kerberos only**. | Supported authentication protocol: **Any negotiable protocol**. |
+
## Hardware and software requirements
The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
@@ -58,7 +78,11 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
### Turn on Remote Credential Guard by using Group Policy
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
+
2. Double-click **Restrict delegation of credentials to remote servers**.
+
+ 
+
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
@@ -66,10 +90,10 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
- If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
+ - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
+
4. Click **OK**.
- 
-
5. Close the Group Policy Management Console.
6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
@@ -96,7 +120,7 @@ mstsc.exe /remoteGuard
- Remote Desktop Gateway is not compatible with Remote Credential Guard.
-- You cannot used saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
+- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.
- Both the client and the server must be joined to the same domain or the domains must have a trust relationship.
diff --git a/windows/keep-secure/smart-card-and-remote-desktop-services.md b/windows/keep-secure/smart-card-and-remote-desktop-services.md
new file mode 100644
index 0000000000..5a2d8f9ed9
--- /dev/null
+++ b/windows/keep-secure/smart-card-and-remote-desktop-services.md
@@ -0,0 +1,99 @@
+---
+title: Smart Card and Remote Desktop Services (Windows 10)
+description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card and Remote Desktop Services
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
+
+The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
+
+Smart card support is required to enable many Remote Desktop Services scenarios. These include:
+
+- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
+
+- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.
+
+## Remote Desktop Services redirection
+
+In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
+
+
+
+**Remote Desktop redirection**
+
+Notes about the redirection model:
+
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs **net use /smartcard**.
+
+2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
+
+3. The authentication is performed by the LSA in session 0.
+
+4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
+
+5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
+
+6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
+
+7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.
+
+## RD Session Host server single sign-in experience
+
+As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
+
+Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
+
+When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
+
+### Remote Desktop Services and smart card sign-in
+
+Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
+
+In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
+
+To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
+
+**certutil -dspublish NTAuthCA** "*DSCDPContainer*"
+
+The *DSCDPContainer* Common Name (CN) is usually the name of the certification authority.
+
+Example:
+
+**certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
+
+For information about this option for the command-line tool, see [-dsPublish](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_dsPublish).
+
+### Remote Desktop Services and smart card sign-in across domains
+
+To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
+
+**certutil -scroots update**
+
+For information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_SCRoots).
+
+For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
+
+**certutil -addstore -enterprise NTAUTH** <*CertFile*>
+
+Where <*CertFile*> is the root certificate of the KDC certificate issuer.
+
+For information about this option for the command-line tool, see [-addstore](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_addstore).
+
+> **Note** If you use the credential SSP on computers running the supported versions of the operating system that are designated in the **Applies To** list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
+
+Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <*ClientName*>@<*DomainDNSName*>
+
+The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-architecture.md b/windows/keep-secure/smart-card-architecture.md
new file mode 100644
index 0000000000..84d38741cf
--- /dev/null
+++ b/windows/keep-secure/smart-card-architecture.md
@@ -0,0 +1,337 @@
+---
+title: Smart Card Architecture (Windows 10)
+description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Architecture
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
+
+Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.
+
+In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses a key only the user knows (such as with public key cryptography), or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt. Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable.
+
+For smart cards, Windows supports a provider architecture that meets the secure authentication requirements and is extensible so that you can include custom credential providers. This topic includes information about:
+
+- [Credential provider architecture](#credential-provider-architecture)
+
+- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
+
+
+
+## Credential provider architecture
+
+The following table lists the components that are included in the interactive sign-in architecture of the Windows Server and Windows operating systems.
+
+| **Component** | **Description** |
+|------------------------------------------------|-----|
+| Winlogon | Provides an interactive sign-in infrastructure. |
+| Logon UI | Provides interactive UI rendering. |
+| Credential providers (password and smart card) | Describes credential information and serializing credentials. |
+| Local Security Authority (LSA) | Processes sign-in credentials. |
+| Authentication packages | Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. |
+
+Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key combination is called a secure attention sequence (SAS). To keep other programs and processes from using it, Winlogon registers this sequence during the boot process.
+
+After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system.
+
+
+
+**Figure 1** **Credential provider architecture**
+
+Typically, a user who signs in to a computer by using a local account or a domain account must enter a user name and password. These credentials are used to verify the user's identity. For smart card sign-in, a user's credentials are contained on the smart card's security chip. A smart card reader lets the computer interact with the security chip on the smart card. When users sign in with a smart card, they enter a personal identification number (PIN) instead of a user name and password.
+
+Credential providers are in-process COM objects that run on the local system and are used to collect credentials. The Logon UI provides interactive UI rendering, Winlogon provides interactive sign-in infrastructure, and credential providers work with both of these components to help gather and process credentials.
+
+Winlogon instructs the Logon UI to display credential provider tiles after it receives an SAS event. The Logon UI queries each credential provider for the number of credentials it wants to enumerate. Credential providers have the option of specifying one of these tiles as the default. After all providers have enumerated their tiles, the Logon UI displays them to the user. The user interacts with a tile to supply the proper credentials. The Logon UI submits these credentials for authentication.
+
+Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to sign in by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy custom authentication mechanisms for all domain users, and they may explicitly require users to use this custom sign-in mechanism.
+
+> **Note** Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
+
+Credential providers can be designed to support single sign-in (SSO). In this process, they authenticate users to a secure network access point (by using RADIUS and other technologies) for signing in to the computer. Credential providers are also designed to support application-specific credential gathering, and they can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control (UAC).
+
+Multiple credential providers can coexist on a computer.
+
+Credential providers must be registered on a computer running Windows, and they are responsible for:
+
+- Describing the credential information that is required for authentication.
+
+- Handling communication and logic with external authentication authorities.
+
+- Packaging credentials for interactive and network sign-in.
+
+> **Note** The Credential Provider API does not render the UI. It describes what needs to be rendered. Only the password credential provider is available in safe mode. The smart card credential provider is available in safe mode during networking.
+
+## Smart card subsystem architecture
+
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](http://www.pcscworkgroup.com/specifications/overview.php). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+
+### Base CSP and smart card minidriver architecture
+
+Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
+
+
+
+**Figure 2** **Base CSP and smart card minidriver architecture**
+
+### Caching with Base CSP and smart card KSP
+
+Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user’s access to a PIN.
+
+- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
+
+- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated.
+
+#### Data caching
+
+Each CSP implements the current smart card data cache separately. The Base CSP implements a robust caching mechanism that allows a single process to minimize smart card I/O operations.
+
+The existing global cache works as follows:
+
+1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card.
+
+2. The CSP checks its cache for the item.
+
+3. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card.
+
+4. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced.
+
+Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
+
+The global data cache is hosted in the Smart Cards for Windows service. Windows includes two public smart card API calls, SCardWriteCache and SCardReadCache. These API calls make global data caching functionality available to applications. Every smart card that conforms to the smart card minidriver specification has a 16-byte card identifier. This value is used to uniquely identify cached data that pertains to a given smart card. The standard Windows GUID type is used. These APIs allow an application to add data to and read data from the global cache.
+
+#### PIN caching
+
+The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
+
+To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it require multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
+
+The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
+
+1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card.
+
+2. Outlook prompts the user for the smart card PIN. The user enters the correct PIN.
+
+3. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail.
+
+4. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client.
+
+5. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN.
+
+6. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in.
+
+7. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN.
+
+The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
+
+### Smart card selection
+
+The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
+
+- [Container specification levels](#container-specification-levels)
+
+- [Container operations](#container-operations)
+
+- [Context flags](#context-flags)
+
+- [Create a new container in silent context](#create-a-new-container-in-silent-context)
+
+- [Smart card selection behavior](#smart-card-selection-behavior)
+
+- [Make a smart card reader match](#make-a-smart-card-reader-match)
+
+- [Make a smart card match](#make-a-smart-card-match)
+
+- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
+
+- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
+
+- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
+
+- [Delete a container](#delete-a-container)
+
+#### Container specification levels
+
+In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to match the container that the caller specifies to a specific smart card and reader. The caller can provide a container name with varying levels of specificity, as shown in the following table, and sorted from most-specific to least-specific requests.
+
+Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
+
+> **Note** Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER) must be made.
+
+| **Type** | **Name** | **Format** |
+|----------|----------|------------|
+| I | Reader Name and Container Name | \\\\.\\<Reader Name>\\<Container Name> |
+| II | Reader Name and Container Name (NULL) | \\\\.\\<Reader Name> |
+| III | Container Name Only | <Container Name> |
+| IV | Default Container (NULL) Only | NULL |
+
+The Base CSP and smart card KSP cache smart card handle information about the calling process and about the smart cards the process has accessed. When searching for a smart card container, the Base CSP or smart card KSP first checks its cache for the process. If the cached handle is invalid or no match is found, the SCardUIDlg API is called to get the card handle.
+
+#### Container operations
+
+The following three container operations can be requested by using CryptAcquireContext:
+
+1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
+
+2. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
+
+3. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
+
+The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are based on the container operation requested and the level of container specification used.
+
+The following table shows the restrictions for the container creation operation.
+
+| **Specification** | **Restriction** |
+|------------------------------------|-----------|
+| No silent context | Key container creation must always be able to show UI, such as the PIN prompt. |
+| No overwriting existing containers | If the specified container already exists on the chosen smart card, choose another smart card or cancel the operation. |
+
+#### Context flags
+
+The following table shows the context flags used as restrictions for the container creation operation.
+
+| **Flag** | **Description** |
+|------------------------|------------------------------------------------------|
+| CRYPT\_SILENT | No UI can be displayed during this operation. |
+| CRYPT\_MACHINE\_KEYSET | No cached data should be used during this operation. |
+| CRYPT\_VERIFYCONTEXT | Only public data can be accessed on the smart card. |
+
+In addition to container operations and container specifications, you must consider other user options, such as the CryptAcquireContext flags, during smart card selection.
+
+> **Important** The CRYPT\_SILENT flag cannot be used to create a new container.
+
+#### Create a new container in silent context
+
+Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
+
+1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
+
+2. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
+
+3. Release the context acquired in Step 1.
+
+4. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
+
+5. Call CryptGenKey to create the key.
+
+#### Smart card selection behavior
+
+In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
+
+
+
+**Figure 3** **Smart card selection behavior**
+
+In general, smart card selection behavior is handled by the SCardUIDlgSelectCard API. The Base CSP interacts with this API by calling it directly. The Base CSP also sends callback functions that have the purpose of filtering and matching candidate smart cards. Callers of CryptAcquireContext provide smart card matching information. Internally, the Base CSP uses a combination of smart card serial numbers, reader names, and container names to find specific smart cards.
+
+Each call to SCardUI \* may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
+
+#### Make a smart card reader match
+
+For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
+
+1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
+
+2. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
+
+3. For container specification level II only, the name of the default container on the chosen smart card is determined.
+
+4. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
+
+5. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
+
+#### Make a smart card match
+
+For container specification levels III and IV, a broader method is used to match an appropriate smart card with a user context, because multiple cached smart cards might meet the criteria provided.
+
+#### Open an existing default container (no reader specified)
+
+> **Note** This operation requires that you use the smart card with the Base CSP.
+
+1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
+
+2. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
+
+#### Open an existing GUID-named container (no reader specified)
+
+> **Note** This operation requires that you use the smart card with the Base CSP.
+
+1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
+
+2. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
+
+#### Create a new container (no reader specified)
+
+> **Note** This operation requires that you use the smart card with the Base CSP.
+
+If the PIN is not cached, no CRYPT\_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
+
+For other operations, the caller may be able to acquire a "verify" context against the default container (CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
+
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+
+ 1. If the smart card has been removed, continue the search.
+
+ 2. If the smart card is present, but it already has the named container, continue the search.
+
+ 3. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search.
+
+ 4. Otherwise, use the first available smart card that meets the above criteria for the container creation.
+
+2. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card.
+
+#### Delete a container
+
+1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended.
+
+2. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+
+ 1. If the smart card does not have the named container, continue the search.
+
+ 2. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI \*.
+
+3. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was provided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
+
+### Base CSP and KSP-based architecture in Windows
+
+Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
+
+
+
+**Figure 4** **Cryptography architecture**
+
+### Base CSP and smart card KSP properties in Windows
+
+The following properties are supported in versions of Windows designated in the **Applies To** list at the beginning of this topic.
+
+> **Note** The API definitions are located in WinCrypt.h and WinSCard.h.
+
+| **Property** | **Description** |
+|-----------------------|------------------|
+| PP\_USER\_CERTSTORE | - Used to return an HCERTSTORE that contains all user certificates on the smart card - Read-only (used only by CryptGetProvParam) - Caller responsible for closing the certificate store - Certificate encoded using PKCS\_7\_ASN\_ENCODING or X509\_ASN\_ENCODING - CSP should set KEY\_PROV\_INFO on certificates - Certificate store should be assumed to be an in-memory store - Certificates should have a valid CRYPT\_KEY\_PROV\_INFO as a property |
+| PP\_ROOT\_CERTSTORE | - Read and Write (used by CryptGetProvParam and CryptSetProvParam) - Used to write a collection of root certificates to the smart card or return HCERTSTORE, which contains root certificates from the smart card - Used primarily for joining a domain by using a smart card - Caller responsible for closing the certificate store |
+| PP\_SMARTCARD\_READER | - Read-only (used only by CryptGetProvParam) - Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| PP\_SMARTCARD\_GUID | - Return smart card GUID (also known as a serial number), which should be unique for each smart card - Used by the certificate propagation service to track the source of a root certificate|
+| PP\_UI\_PROMPT | - Used to set the search string for the SCardUIDlgSelectCard card insertion dialog box - Persistent for the entire process when it is set - Write-only (used only by CryptSetProvParam) |
+
+### Implications for CSPs in Windows
+
+Credential Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+
+If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
+
+### Write a smart card minidriver, CSP, or KSP
+
+CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
+
+For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](https://msdn.microsoft.com/windows/hardware/drivers/smartcard/smart-card-minidrivers).
diff --git a/windows/keep-secure/smart-card-certificate-propagation-service.md b/windows/keep-secure/smart-card-certificate-propagation-service.md
new file mode 100644
index 0000000000..4668d29aa8
--- /dev/null
+++ b/windows/keep-secure/smart-card-certificate-propagation-service.md
@@ -0,0 +1,75 @@
+---
+title: Certificate Propagation Service (Windows 10)
+description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Certificate Propagation Service
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+
+The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+> **Note** The certificate propagation service must be running for smart card Plug and Play to work.
+
+The following figure shows the flow of the certificate propagation service. The action begins when a signed-in user inserts a smart card.
+
+1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session.
+
+2. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection.
+
+3. The arrow labeled **2** indicates the certification to the reader.
+
+4. The arrow labeled **3** indicates the access to the certificate store during the client session.
+
+**Certificate propagation service**
+
+
+
+1. A signed-in user inserts a smart card.
+
+2. CertPropSvc is notified that a smart card was inserted.
+
+3. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store.
+
+> **Note** The certificate propagation service is started as a Remote Desktop Services dependency.
+
+Properties of the certificate propagation service include:
+
+- CERT\_STORE\_ADD\_REPLACE\_EXISTING\_INHERIT\_PROPERTIES adds certificates to a user's Personal store.
+
+- If the certificate has the CERT\_ENROLLMENT\_PROP\_ID property (as defined by wincrypt.h), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store.
+
+- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store.
+
+- The service propagates certificates according to Group Policy options that are set, which may include:
+
+ - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated.
+
+ - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated.
+
+ - **Configure root certificate cleanup** specifies how root certificates are removed.
+
+## Root certificate propagation service
+
+Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust has not yet been established:
+
+- Joining the domain
+
+- Accessing a network remotely
+
+In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
+
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You may also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md b/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md
new file mode 100644
index 0000000000..16e40288d5
--- /dev/null
+++ b/windows/keep-secure/smart-card-certificate-requirements-and-enumeration.md
@@ -0,0 +1,317 @@
+---
+title: Certificate Requirements and Enumeration (Windows 10)
+description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Certificate Requirements and Enumeration
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
+
+When a smart card is inserted, the following steps are performed.
+
+> **Note** Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+
+1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+
+2. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\<Reader name>*\\
+
+3. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
+
+4. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
+
+5. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+
+6. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
+
+7. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
+
+8. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
+
+ 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
+
+ 2. The certificate must not be in the AT\_SIGNATURE part of a container.
+
+ 3. The certificate must have a valid user principal name (UPN).
+
+ 4. The certificate must have the digital signature key usage.
+
+ 5. The certificate must have the smart card logon EKU.
+
+ Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
+
+ > **Note** These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
+
+9. The process then chooses a certificate, and the PIN is entered.
+
+10. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
+
+11. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
+
+## About Certificate support for compatibility
+
+Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
+
+- Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the enhanced key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional.
+
+- Each certificate must be stored in the AT\_KEYEXCHANGE portion of the default CryptoAPI container, and non-default CryptoAPI containers are not supported.
+
+The following table lists the certificate support in older Windows operating system versions.
+
+| **Operating system** | **Certificate support** |
+|---------------------------------------|----------------------------------------------------------------------------------------------------------|
+| Windows Server 2008 R2 and Windows 7 | Support for smart card sign-in with ECC-based certificates. ECC smart card sign-in is enabled through Group Policy.
ECDH\_P256 ECDH Curve P-256 from FIPS 186-2
ECDSA\_P256 ECDSA Curve P-256 from FIPS 186-2
ECDH\_P384 ECDH Curve P-384 from FIPS 186-2
ECDH\_P521 ECDH Curve P-521 from FIPS 186-2
ECDSA\_P256 ECDH Curve P-256 from FIPS 186-2
ECDSA\_P384 ECDSA Curve P-384 from FIPS 186-2
ECDSA\_P521 ECDSA Curve P-384 from FIPS 186-2 |
+| Windows Server 2008 and Windows Vista | Valid certificates are enumerated and displayed from all smart cards and presented to the user. Keys are no longer restricted to the default container, and certificates in different containers can be chosen. Elliptic curve cryptography (ECC)-based certificates are not supported for smart card sign-in |
+
+## Smart card sign-in flow in Windows
+
+Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
+
+In the supported versions of Windows designated in the **Applies To** list at the beginning of this topic, client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+
+Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
+
+If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates are not listed on the sign-in screen.
+
+The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
+
+
+
+**Smart card sign-in flow**
+
+Following are the steps that are performed during a smart card sign-in:
+
+1. Winlogon requests the sign-in UI credential information.
+
+2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+
+ 2. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+
+ 3. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+
+ > **Note** Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+
+ 4. Notifies the sign-in UI that it has new credentials.
+
+3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+
+4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
+
+5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
+
+6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
+
+7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+
+8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
+
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key. If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
+
+9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+
+10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+
+11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
+
+12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
+
+13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT’s authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+
+14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
+
+ > **Note** The KRB\_AS\_REP packet consists of:
+ >- Privilege attribute certificate (PAC)
+ >- User's SID
+ >- SIDs of any groups of which the user is a member
+ >- A request for ticket-granting service (TGS)
+ >- Preauthentication data
+
+ TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
+
+15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+
+16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+
+17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
+
+18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
+
+19. CSP to smart card resource manager communication happens on the LRPC Channel.
+
+20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
+
+21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
+
+> **Note** A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
+
+For more information about the Kerberos protocol, see [Microsoft Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747(v=vs.85).aspx).
+
+By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID\_KP\_SMARTCARD\_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
+
+## KDC certificate
+
+Active Directory Certificate Services provides three kinds of certificate templates:
+
+- Domain controller
+
+- Domain controller authentication
+
+- Kerberos authentication
+
+Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
+
+## Client certificate requirements and mappings
+
+Certificate requirements are listed by versions of the Windows operating system. Certificate mapping describes how information from the certificate is mapped to the user account.
+
+### Certificate requirements
+
+The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
+
+| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, and Windows Vista** | **Requirements for Windows XP** |
+|--------------------------------------|--------------------------------|------|
+| CRL distribution point location | Not required | The location must be specified, online, and available, for example: \[1\]CRL Distribution Point Distribution Point Name: Full Name: URL=http://server1.contoso.com/CertEnroll/caname.crl |
+| Key usage | Digital signature | Digital signature |
+| Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) |
+| Enhanced key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2) The client authentication object identifier is required only if a certificate is used for SSL authentication.
- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) |
+| Subject alternative name | E-mail ID is not required for smart card sign-in. | Other Name: Principal Name=(UPN), for example: UPN=user1@contoso.com The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3. The UPN OtherName value must be an ASN1-encoded UTF8 string. |
+| Subject | Not required | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
+| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required |
+| CRL | Not required | Not required |
+| UPN | Not required | Not required |
+| Notes | You can enable any certificate to be visible for the smart card credential provider. | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
+
+### Client certificate mappings
+
+Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
+
+SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: <I>"*<Issuer Name>*"<S>"*<Subject Name>*. The *<Issuer Name>* and *<Subject Name>* are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+
+**Certificate revocation list distribution points**
+
+
+
+**UPN in Subject Alternative Name field**
+
+
+
+**Subject and Issuer fields**
+
+
+
+This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
+
+**High-level flow of certificate processing for sign-in**
+
+
+
+The certificate object is parsed to look for content to perform user account mapping.
+
+- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs.
+
+- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object.
+
+- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding.
+
+Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client does not supply the client name through the mapping hints.
+
+The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing various entries in the certificate.
+
+**Certificate processing logic**
+
+
+
+NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](https://msdn.microsoft.com/library/aa377163.aspx).
+
+## Smart card sign-in for a single user with one certificate into multiple accounts
+
+A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a user account and also to sign in as a domain administrator. The mapping is done by using the constructed AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings).
+
+> **Note** Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
+
+Based on the information that is available in the certificate, the sign-in conditions are:
+
+1. If no UPN is present in the certificate:
+
+ 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts.
+
+ 2. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate).
+
+2. If a UPN is present in the certificate:
+
+ 1. The certificate cannot be mapped to multiple users in the same forest.
+
+ 2. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user.
+
+## Smart card sign-in for multiple users into a single account
+
+A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for sign-in.
+
+Several distinct certificates can be mapped to a single account. For this to work properly, the certificate cannot have UPNs.
+
+For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Certificate3 has CN=User2, the AltSecID of these certificates can be mapped to a single account by using the Active Directory Users and Computers name mapping.
+
+## Smart card sign-in across forests
+
+For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as *user@contoso.com*.
+
+> **Note** For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
+
+## OCSP support for PKINIT
+
+Online Certificate Status Protocol (OCSP), which is defined in RFC 2560, enables applications to obtain timely information about the revocation status of a certificate. Because OCSP responses are small and well bound, constrained clients might want to use OCSP to check the validity of the certificates for Kerberos on the KDC, to avoid transmission of large CRLs, and to save bandwidth on constrained networks. For information about CRL registry keys, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior cannot be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
+
+Windows client computers attempt to request the OCSP responses and use them in the reply when they are available. This behavior cannot be disabled.
+
+## Smart card root certificate requirements for use with domain sign-in
+
+For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
+
+- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
+
+- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
+
+- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
+
+- The smart card certificate must contain one of the following:
+
+ - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
+
+ - A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
+
+Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
+
+1. Enable HTTP CRL distribution points on the CA.
+
+2. Restart the CA.
+
+3. Reissue the KDC certificate.
+
+4. Issue or reissue the smart card sign-in certificate.
+
+5. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in.
+
+The workaround is to enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key), which allows the user to supply a hint in the credentials user interface for domain sign-in.
+
+If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including DC=*<DomainControllerName>*, for domain name resolution.
+
+To deploy root certificates on a smart card for the currently joined domain, you can use the following command:
+
+**certutil -scroots update**
+
+For more information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_SCRoots).
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+
diff --git a/windows/keep-secure/smart-card-debugging-information.md b/windows/keep-secure/smart-card-debugging-information.md
new file mode 100644
index 0000000000..c793347093
--- /dev/null
+++ b/windows/keep-secure/smart-card-debugging-information.md
@@ -0,0 +1,239 @@
+---
+title: Smart Cards Debugging Information (Windows 10)
+description: This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Cards Debugging Information
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
+
+Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
+
+- [Certutil](#certutil)
+
+- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+
+- [Kerberos protocol, KDC and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+
+- [Smart Card service](#smart-card-service)
+
+- [Smart card readers](#smart-card-readers)
+
+- [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
+
+## Certutil
+
+For a complete description of Certutil including examples that show how to use it, see [Certutil \[W2012\]](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx).
+
+### List certificates available on the smart card
+
+To list certificates that are available on the smart card, type certutil -scinfo.
+
+> **Note** Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
+
+### Delete certificates on the smart card
+
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+
+To find the container value, type certutil -scinfo.
+
+To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
+
+## Debugging and tracing using WPP
+
+Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](http://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+
+### Enable the trace
+
+Using WPP, use one of the following commands to enable tracing:
+
+- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
+
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>***.etl -mode 0x00080000**
+
+You can use the parameters in the following table.
+
+| **Friendly name** | **GUID** | **Flags** |
+|-------------------|--------------------------------------|-----------|
+| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+
+Examples
+
+To enable tracing for the SCardSvr service:
+
+- tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1
+
+- logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000
+
+To enable tracing for scfilter.sys:
+
+tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1
+
+### Stop the trace
+
+Using WPP, use one of the following commands to stop the tracing:
+
+- **tracelog.exe -stop** <*FriendlyName*>
+
+- **logman -stop** <*FriendlyName*> **-ets**
+
+Examples
+
+To stop a trace:
+
+- tracelog.exe -stop scardsvr
+
+- logman -stop scardsvr -ets
+
+## Kerberos protocol, KDC and NTLM debugging and tracing
+
+
+
+You can use the following resources to begin troubleshooting these protocols and the KDC:
+
+- [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx)
+
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit) You can use the trace log tool in this SDK to debug Kerberos authentication failures.
+
+To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in the following examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+
+### NTLM
+
+To enable tracing for NTLM authentication, run the following at the command line:
+
+tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1
+
+To stop tracing for NTLM authentication, run the following at the command line:
+
+tracelog -stop ntlm
+
+### Kerberos authentication
+
+To enable tracing for Kerberos authentication, run the following at the command line:
+
+tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1
+
+To stop tracing for Kerberos authentication, run the following at the command line:
+
+tracelog.exe -stop kerb
+
+### KDC
+
+To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
+
+tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1
+
+To stop tracing for the KDC, run the following at the command line:
+
+tracelog.exe -stop kdc
+
+To stop tracing from a remote computer, run the following at the command line: logman.exe -s *<ComputerName>*.
+
+> **Note** The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
+
+### Configure tracing with the registry
+
+You can also configure tracing by editing the Kerberos registry values shown in the following table.
+
+| **Element** | **Registry Key Setting** |
+|-------------|----------------------------------------------------|
+| NTLM | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1\_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003 |
+| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos Value name: LogToFile Value type: DWORD Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: LogToFile Value type: DWORD Value data: 00000001 |
+| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc Value name: KdcDebugLevel Value type: DWORD Value data: c0000803 |
+
+If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+
+Otherwise, if you used the registry key settings shown in the previous table, look for the generated trace log files in the following locations:
+
+- NTLM: %systemroot%\\tracing\\msv1\_0
+
+- Kerberos: %systemroot%\\tracing\\kerberos
+
+- KDC: %systemroot%\\tracing\\kdcsvc
+
+To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+
+## Smart Card service
+
+The smart card resource manager service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process.
+
+**To check if Smart Card service is running**
+
+1. Press CTRL+ALT+DEL, and then click **Start Task Manager**.
+
+2. In the **Windows Task Manager** dialog box, click the **Services** tab.
+
+3. Click the **Name** column to sort the list alphabetically, and then type **s**.
+
+4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
+
+**To restart Smart Card service**
+
+1. Run as administrator at the command prompt.
+
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+
+3. At the command prompt, type **net stop SCardSvr**.
+
+4. At the command prompt, type **net start SCardSvr**.
+
+You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+
+The following is example output from running this command:
+
+```
+SERVICE_NAME: scardsvr
+ TYPE : 20 WIN32_SHARE_PROCESS
+ STATE : 4 RUNNING
+ (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+ WIN32_EXIT_CODE : 0 (0x0)
+ SERVICE_EXIT_CODE : 0 (0x0)
+ CHECKPOINT : 0x0
+ WAIT_HINT : 0x0
+ PID : 1320
+ FLAGS :
+C:\>
+```
+
+## Smart card readers
+
+As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
+
+**To check if smart card reader is working**
+
+1. Navigate to **Computer**.
+
+2. Right-click **Computer**, and then click **Properties**.
+
+3. Under **Tasks**, click **Device Manager**.
+
+4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
+
+> **Note** If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+
+## CryptoAPI 2.0 Diagnostics
+
+CryptoAPI 2.0 Diagnostics is a feature that is available in Windows operating systems that supports CryptoAPI 2.0. This feature can help you troubleshoot public key infrastructure (PKI) issues.
+
+CryptoAPI 2.0 Diagnostics logs events in the Windows event log, which contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
+
+For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an Enterprise PKI](https://technet.microsoft.com/library/cc771463.aspx).
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-events.md b/windows/keep-secure/smart-card-events.md
new file mode 100644
index 0000000000..7fcd797652
--- /dev/null
+++ b/windows/keep-secure/smart-card-events.md
@@ -0,0 +1,111 @@
+---
+title: Smart Card Events (Windows 10)
+description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Events
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
+
+A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization.
+
+- [Smart card reader name](#smart-card-reader-name)
+
+- [Smart card warning events](#smart-card-warning-events)
+
+- [Smart card error events](#smart-card-error-events)
+
+- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
+
+## Smart card reader name
+
+The Smart Card resource manager does not use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
+
+The following three attributes are used to construct the smart card reader name:
+
+- Vendor name
+
+- Interface device type
+
+- Device unit
+
+The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information:
+
+- Vendor name: Contoso
+
+- Interface device type: Smart Card Reader
+
+- Device unit: 0
+
+## Smart card warning events
+
+> **Note** IOCTL in the following table refers to input and output control.
+
+| **Event ID** | **Warning Message** | **Description** |
+|--------------|---------|--------------------------------------------------------------------------------------------|
+| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.
%1 = Windows error code %2 = Smart card reader name %3 = IOCTL being canceled %4 = First 4 bytes of the command that was sent to the smart card |
+| 619 | Smart Card Reader '%2' has not responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader has not responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader does not respond for 150 seconds. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.
%1 = Number of seconds the IOCTL has been waiting %2 = Smart card reader name %3 = IOCTL sent %4 = First 4 bytes of the command that was sent to the smart card |
+
+## Smart card error events
+
+| **Event ID** | **Error Message** | **Description** |
+|--------------|--------------------------------------------|-------------------------------------------------------------------------------|
+| 202 | Failed to initialize Server Application | An error occurred, and the service cannot initialize properly. Restarting the computer may resolve the issue. |
+| 203 | Server Control has no memory for reader reference object. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 204 | Server Control failed to create shutdown event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message. %1 = Name of the smart card reader that is duplicated |
+| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
+| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. |
+| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 504 | Resource Manager cannot create shutdown event flag: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 506 | Smart Card Resource Manager failed to register service: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 506 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 507 | No memory available for Service Status Critical Section | There is not enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. |
+| 508 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 509 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 510 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 511 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 512 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 513 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 514 | Smart Card Resource Manager failed to add reader %2: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code %2 = Smart card reader name |
+| 515 | Smart Card Resource Manager failed to declare state: %1 | This is an internal unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue. %1 = Windows error code |
+| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue. %1 = Windows error code |
+| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Smart card reader name |
+| 521 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 523 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer. %1 = The affected handle name |
+| 602 | WDM Reader driver initialization cannot open reader device: %1 | The service cannot open a communication channel with the smart card reader. You cannot use the smart card reader until the issue is resolved. %1 = Windows error code |
+| 603 | WDM Reader driver initialization has no memory available to control device %1 | There is not enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue. %1 = Name of affected reader |
+| 604 | Server control cannot set reader removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 605 | Reader object failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 606 | Reader object failed to create removal event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 607 | Reader object failed to start monitor thread: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 609 | Reader monitor failed to create overlapped event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress. %1 = Windows error code %2 = Name of the smart card reader %3 = IOCTL that was sent %4 = First 4 bytes of the command sent to the smart card |
+| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
+| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Windows error code |
+| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Windows error code |
+| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Windows error code %2 = Reader name |
+| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. %1 = Smart card reader name |
+| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
+| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. %1 = Windows error code |
+
+## Smart card Plug and Play events
+
+| **Event ID** | **Event type** | **Event Message** | **Description** |
+|--------------|----------------|-----------------------------------------------------------------------------------------|----------------|
+| 1000 | Error | Could not get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play could not obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective. %1 = Smart card reader name %2 = Windows error code |
+| 1001 | Information | Software successfully installed for smart card in reader %1. The smart card name is %2. | Smart card Plug and Play successfully installed a minidriver for the inserted card. %1 = Smart card reader name %2 = Name of new smart card device |
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-group-policy-and-registry-settings.md b/windows/keep-secure/smart-card-group-policy-and-registry-settings.md
new file mode 100644
index 0000000000..7f3eb80f4e
--- /dev/null
+++ b/windows/keep-secure/smart-card-group-policy-and-registry-settings.md
@@ -0,0 +1,378 @@
+---
+title: Smart Card Group Policy and Registry Settings (Windows 10)
+description: This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Group Policy and Registry Settings
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+
+The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
+
+- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
+
+ - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
+
+ - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
+
+ - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
+
+ - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
+
+ - [Allow time invalid certificates](#allow-time-invalid-certificates)
+
+ - [Allow user name hint](#allow-user-name-hint)
+
+ - [Configure root certificate clean up](#configure-root-certificate-clean-up)
+
+ - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
+
+ - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
+
+ - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
+
+ - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
+
+ - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
+
+ - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
+
+ - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
+
+ - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
+
+ - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
+
+- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
+
+- [CRL checking registry keys](#crl-checking-registry-keys)
+
+- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
+
+## Primary Group Policy settings for smart cards
+
+The following smart card Group Policy settings are located in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+
+The registry keys are in the following locations:
+
+- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider
+
+- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp
+
+> **Note** Smart card reader registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers. Smart card registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards.
+
+The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic.
+
+| **Server Type or GPO** | **Default Value** |
+|----------------------------------------------|-------------------|
+| Default Domain Policy | Not configured |
+| Default Domain Controller Policy | Not configured |
+| Stand-Alone Server Default Settings | Not configured |
+| Domain Controller Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
+### Allow certificates with no extended key usage certificate attribute
+
+This policy setting allows certificates without an enhanced key usage (EKU) set to be used for sign in.
+
+> **Note** Enhanced key usage certificate attribute is also known as extended key usage.
+
+In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
+
+When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card:
+
+- Certificates with no EKU
+
+- Certificates with an All Purpose EKU
+
+- Certificates with a Client Authentication EKU
+
+When this policy setting is disabled or not configured, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowCertificatesWithNoEKU |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Allow ECC certificates to be used for logon and authentication
+
+This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. When this setting is enabled, ECC certificates on a smart card can be used to sign in to a domain. When this setting is disabled or not configured, ECC certificates on a smart card cannot be used to sign in to a domain.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------|
+| Registry key | EnumerateECCCerts |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign-in when you are not connected to the network. |
+
+### Allow Integrated Unblock screen to be displayed at the time of logon
+
+This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
+
+When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available.
+
+| **Item** | **Description** |
+|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowIntegratedUnblock |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature. You can create a custom message that is displayed when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+
+### Allow signature keys valid for Logon
+
+This policy setting lets you allow signature key-based certificates to be enumerated and available for sign in. When this setting is enabled, any certificates available on the smart card with a signature-only key are listed on the sign-in screen. When this setting is disabled or not configured, certificates available on the smart card with a signature-only key are not listed on the sign-in screen.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowSignatureOnlyKeys |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Allow time invalid certificates
+
+This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in.
+
+Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
+
+When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | AllowTimeInvalidCertificates |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Allow user name hint
+
+This policy setting lets you determine whether an optional field is displayed during sign-in and provides a subsequent elevation process that allows users to enter their user name or user name and domain, which associates a certificate with the user. If this setting is enabled, an optional field is displayed that allows users to enter their user name or user name and domain. If this setting is disabled or not configured, the field is not displayed.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | X509HintsNeeded |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Configure root certificate clean up
+
+This policy setting allows you to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. When this setting is enabled, you can set the following cleanup options:
+
+- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
+
+- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
+
+- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
+
+When this policy setting is disabled or not configured, root certificates are automatically removed when the user signs out of Windows.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | RootCertificateCleanupOption |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Display string when smart card is blocked
+
+When this policy setting is enabled, you can create and manage the displayed message that the user sees when a smart card is blocked. When this setting is disabled or not configured (and the integrated unblock feature is also enabled), the system’s default message is displayed to the user when the smart card is blocked.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------|
+| Registry key | IntegratedUnblockPromptString |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
+| Notes and resources | |
+
+### Filter duplicate logon certificates
+
+This policy setting lets you use a filtering process to configure which valid sign-in certificates are displayed. During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+
+Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (this is determined by their UPN). When this policy setting is enabled, filtering occurs so that the user will only see the most current valid certificates from which to select. If this setting is disabled or not configured, all the certificates are displayed to the user.
+
+This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
+
+| **Item** | **Description** |
+|--------------------------------------|--------------------------------------------------------------------------------------------------|
+| Registry key | FilterDuplicateCerts |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+
+### Force the reading of all certificates from the smart card
+
+This policy setting allows you to manage how Windows reads all certificates from the smart card for sign-in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
+
+When this policy setting is enabled, Windows attempts to read all certificates from the smart card regardless of the CSP feature set. When disabled or not configured, Windows attempts to read only the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for sign in.
+
+| **Item** | **Description** |
+|--------------------------------------|----------------------------------------------------------------------------|
+| Registry key | ForceReadingAllCertificates |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None
**Important** Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
+| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
+
+### Notify user of successful smart card driver installation
+
+This policy setting allows you to control whether a confirmation message is displayed to the user when a smart card device driver is installed. When this policy setting is enabled, a confirmation message is displayed when a smart card device driver is installed. When this setting is disabled or not configured, a smart card device driver installation message is not displayed.
+
+| **Item** | **Description** |
+|--------------------------------------|------------------------------------------------|
+| Registry key | ScPnPNotification |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+
+### Prevent plaintext PINs from being returned by Credential Manager
+
+This policy setting prevents Credential Manager from returning plaintext PINs. Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. When this policy setting is enabled, Credential Manager does not return a plaintext PIN. When this setting is disabled or not configured, plaintext PINs can be returned by Credential Manager.
+
+| **Item** | **Description** |
+|--------------------------------------|-----------------------------------------------------------------------------------|
+| Registry key | DisallowPlaintextPin |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | If this policy setting is enabled, some smart cards may not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+
+### Reverse the subject name stored in a certificate when displaying
+
+When this policy setting is enabled, it causes the display of the subject name to be reversed from the way it is stored in the certificate during the sign-in process.
+
+To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+
+| **Item** | **Description** |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| Registry key | ReverseSubject |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | |
+
+### Turn on certificate propagation from smart card
+
+This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+
+If you enable or do not configure this policy setting, certificate propagation occurs when the user inserts the smart card. When this setting is disabled, certificate propagation does not occur and the certificates will not be made available to applications such as Outlook.
+
+| **Item** | **Description** |
+|--------------------------------------|----------------|
+| Registry key | CertPropEnabled |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
+| Notes and resources | |
+
+### Turn on root certificate propagation from smart card
+
+This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. When this policy setting is enabled or not configured, root certificate propagation occurs when the user inserts the smart card.
+
+| **Item** | **Description** |
+|--------------------------------------|---------------------------------------------------------------------------------------------------------|
+| Registry key | EnableRootCertificate Propagation |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
+| Notes and resources | |
+
+### Turn on Smart Card Plug and Play service
+
+This policy setting allows you to control whether Smart Card Plug and Play is enabled. This means that your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with any of the supported versions of Windows is used for these cards.
+
+When the Smart Card Plug and Play policy setting is enabled or not configured, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. If this policy setting is disabled a device driver is not installed when a smart card is inserted in a smart card reader.
+
+| **Item** | **Description** |
+|--------------------------------------|------------------------------------------------|
+| Registry key | EnableScPnP |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+
+## Base CSP and Smart Card KSP registry keys
+
+The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
+
+The registry keys for the Base CSP are located in the registry in HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider.
+
+The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider.
+
+**Registry keys for the base CSP and smart card KSP**
+
+| **Registry Key** | **Description** |
+|------------------------------------|---------------------------------------------------------------------------------|
+| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired. Default value: 00000400 Default key generation parameter: 1024-bit keys |
+| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required. Default value: 00000000 |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc1500 The default timeout for holding transactions to the smart card is 1.5 seconds. |
+
+**Additional registry keys for the smart card KSP**
+
+| **Registry Key** | **Description** |
+|--------------------------------|-----------------------------------------------------|
+| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **AllowPrivateECDSAKeyImport** | This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+
+## CRL checking registry keys
+
+The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client.
+
+**CRL checking registry keys**
+
+| **Registry Key** | **Details** |
+|------------|-----------------------------|
+| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD Value = 1 |
+| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD Value = 1 |
+
+## Additional smart card Group Policy settings and registry keys
+
+In a smart card deployment, additional Group Policy settings can be used to enhance ease-of-use or security. Two of these policy settings that can complement a smart card deployment are:
+
+- Turning off delegation for computers
+
+- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
+
+The following smart card-related Group Policy settings are located in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+
+**Local security policy settings**
+
+| Group Policy Setting and Registry Key | Default | Description |
+|------------------------------------------|------------|---------------|
+| Interactive logon: Require smart card
scforceoption | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can only sign in to the computer by using a smart card. **Disabled** Users can sign in to the computer by using any method. |
+| Interactive logon: Smart card removal behavior
scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are: **No Action** **Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. **Force Logoff**: The user is automatically signed out when the smart card is removed. **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note** Remote Desktop Services was called Terminal Services in previous versions of Windows Server. |
+
+From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
+
+The following smart card-related Group Policy settings are located in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+
+Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults.
+
+> **Note** In the following table, fresh credentials are those that you are prompted for when running an application.
+
+**Credential delegation policy settings**
+
+| Group Policy Setting and Registry Key | Default | Description |
+|----------------------------------------|-----------|-------------|
+| **Allow Delegating Fresh Credentials**
AllowFreshCredentials | Not Configured | This policy setting applies: When server authentication was achieved through a trusted X509 certificate or Kerberos protocol. To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer. **Disabled**: Delegation of fresh credentials to any computer is not permitted.
**Note** This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example: Use *TERMSRV/\** for Remote Desktop Session Host (RD Session Host) running on any computer. Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer. Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**
AllowFreshCredentialsWhenNTLMOnly | Not Configured | This policy setting applies: When server authentication was achieved by using NTLM. To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*). **Disabled**: Delegation of fresh credentials is not permitted to any computer.
**Note** This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN. See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| **Deny Delegating Fresh Credentials**
DenyFreshCredentials | Not Configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated. **Disabled** or **Not Configured**: A server is not specified.
**Note** This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN. See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+
+If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored.
+
+| **Registry key** | **Corresponding Group Policy setting** |
+|-------------------------------------|---------------------------------------------------------------------------|
+| AllowDefaultCredentials | Allow Delegating Default Credentials |
+| AllowDefaultCredentialsWhenNTLMOnly | Allow Delegating Default Credentials with NTLM-only Server Authentication |
+| AllowSavedCredentials | Allow Delegating Saved Credentials |
+| AllowSavedCredentialsWhenNTLMOnly | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md
new file mode 100644
index 0000000000..a8e96e226c
--- /dev/null
+++ b/windows/keep-secure/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -0,0 +1,27 @@
+---
+title: How Smart Card Sign-in Works in Windows (Windows 10)
+description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# How Smart Card Sign-in Works in Windows
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
+
+- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
+
+- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer.
+
+- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections.
+
+- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented.
+
+- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
+
+- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
diff --git a/windows/keep-secure/smart-card-removal-policy-service.md b/windows/keep-secure/smart-card-removal-policy-service.md
new file mode 100644
index 0000000000..dcd96bdf27
--- /dev/null
+++ b/windows/keep-secure/smart-card-removal-policy-service.md
@@ -0,0 +1,35 @@
+---
+title: Smart Card Removal Policy Service (Windows 10)
+description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Removal Policy Service
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+
+The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+
+**Smart card removal policy service**
+
+
+
+The numbers in the previous figure represent the following actions:
+
+1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign in was initiated.
+
+2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
+
+3. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
+
+4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
new file mode 100644
index 0000000000..a0c0edd3dc
--- /dev/null
+++ b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
@@ -0,0 +1,107 @@
+---
+title: Smart Cards for Windows Service (Windows 10)
+description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Cards for Windows Service
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
+
+The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications Overview](http://www.pcscworkgroup.com/specifications/overview.php).
+
+The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
+
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+> **Note** For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
+`Class=SmartCardReader` `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
+
+By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start the service during installation. The entry point is defined as part of the **SmartCardReader** class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted. Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards.
+
+When the service is started, it performs several functions:
+
+1. It registers itself for service notifications.
+
+2. It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
+
+3. It initializes its data cache and a global event that signals that the service has started.
+
+> **Note** For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
+
+The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows service handles the following high-level actions:
+
+- Device introduction
+
+- Reader initialization
+
+- Notifying clients of new readers
+
+- Serializing access to readers
+
+- Smart card access
+
+- Tunneling of reader-specific commands
+
+## See also
+
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/keep-secure/smart-card-tools-and-settings.md b/windows/keep-secure/smart-card-tools-and-settings.md
new file mode 100644
index 0000000000..c84b997c09
--- /dev/null
+++ b/windows/keep-secure/smart-card-tools-and-settings.md
@@ -0,0 +1,27 @@
+---
+title: Smart Card Tools and Settings (Windows 10)
+description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Tools and Settings
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
+
+This section of the Smart Card Technical Reference contains information about the following:
+
+- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues.
+
+- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers.
+
+- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors.
+
+## See also
+
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
diff --git a/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md b/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md
new file mode 100644
index 0000000000..bb376178cb
--- /dev/null
+++ b/windows/keep-secure/smart-card-windows-smart-card-technical-reference.md
@@ -0,0 +1,65 @@
+---
+title: Smart Card Technical Reference (Windows 10)
+description: This technical reference for the IT professional and smart card developer describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Smart Card Technical Reference
+
+Applies To: Windows 10, Windows Server 2016
+
+The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
+
+## Audience
+
+This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:
+
+- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
+
+- Smart card vendors who write smart card minidrivers or credential providers.
+
+## What are smart cards?
+
+Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account.
+
+Smart cards provide:
+
+- Tamper-resistant storage for protecting private keys and other forms of personal information.
+
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
+
+- Portability of credentials and other private information between computers at work, home, or on the road.
+
+Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
+
+**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
+
+## In this technical reference
+
+This reference contains the following topics.
+
+- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+
+ - [Smart Card Architecture](smart-card-architecture.md)
+
+ - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+
+ - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+
+ - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+
+ - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+
+ - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+
+- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+
+ - [Smart Cards Debugging Information](smart-card-debugging-information.md)
+
+ - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+
+ - [Smart Card Events](smart-card-events.md)
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 277ad8c4ba..0b34d5a9a8 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -63,7 +63,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a sinple semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
+- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
## Discrete, Integrated or Firmware TPM?
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 9f73d970e0..e3c1d51f68 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -149,7 +149,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
Event ID | Message | Resolution steps
:---|:---|:---
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
index 5973f94f6f..d927f73825 100644
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -30,8 +30,8 @@ The TPM Services Group Policy settings are located at:
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
-| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
-| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
+| [Standard User Individual Lockout Threshold](#bkmk-individual)| X| X| X| X|||
+| [Standard User Total Lockout Threshold](#bkmk-total)| X| X| X| X||||
### Turn on TPM backup to Active Directory Domain Services
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
index 3aabc0a07e..2aa91da1a1 100644
--- a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -193,5 +193,5 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled 1 = Enabled |
| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled 1 (Default) = Enabled |
| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled 1 (Default) = Enabled |
-| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled 1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled 1 (Default) = Enabled |
| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled 1 (Default) = Enabled |
diff --git a/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md
new file mode 100644
index 0000000000..3c4dbe36c7
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -0,0 +1,275 @@
+---
+title: Deploy Virtual Smart Cards (Windows 10)
+description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Deploy Virtual Smart Cards
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
+
+Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
+
+
+
+Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
+
+This topic contains information about the following phases in a virtual smart card lifecycle:
+
+- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
+
+- [Provision virtual smart cards](#provision-virtual-smart-cards)
+
+- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
+
+## Create and personalize virtual smart cards
+
+A corporation purchases the devices to deploy then. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. The security that is provided for a TPM virtual smart card is fully provisioned in the host TPM.
+
+### Trusted Platform Module readiness
+
+The TPM Provisioning Wizard, which is launched from the **TPM Management Console**, takes the user through all the steps to prepare the TPM for use.
+
+When you create virtual smart cards, consider the following actions in the TPM:
+
+- **Enable and Activate**: TPMs are built in to many industry ready computers, but they often are not enabled and activated by default. In some cases, the TPM must be enabled and activated through the BIOS. For more information, see Initialize and Configure Ownership of the TPM.
+
+- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the storage root key. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password.
+ For corporate use of TPM virtual smart cards, we recommend that the corporate domain administrator restrict access to the TPM owner password by storing it in Active Directory, not in the local registry. When TPM ownership is set in Windows Vista, the TPM needs to be cleared and reinitialized. For more information, see Trusted Platform Module Technology Overview.
+
+- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time. For more information, see Manage TPM Lockout.
+
+A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer.
+
+Those smart card deployment management tools that require a status check of a TPM before attempting to create a TPM virtual smart card can do so using the TPM WMI interface.
+
+Depending on the setup of the computer that is designated for installing TPM virtual smart cards, it might be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md).
+
+For more information about managing TPMs by using built-in tools, see Trusted Platform Module Services Group Policy Settings.
+
+### Creation
+
+A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security:
+
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
+
+For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+### Personalization
+
+During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If a PUK is set, the administrator key can no longer be used to reset the PIN.)
+
+Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
+
+- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued.
+
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
+
+- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card’s security is independent of the others. This is secure on a large scale unless the administrator key database is compromised.
+
+- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used.
+
+Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is simply entered on the computer to enable a user PIN reset.
+
+The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it cannot be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process.
+
+TPM virtual smart cards can be personalized on an individual basis when they are created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An additional advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards.
+
+## Provision virtual smart cards
+
+Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security.
+
+A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver’s license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an “enroll-on-behalf-of” strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station.
+
+For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost.
+
+For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md).
+
+High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user’s computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer.
+
+In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager.
+
+When you are provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they are also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack.
+
+If a virtual smart card is compromised, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. This requires a record of which credentials match which user and computer, which is functionality that does not exist natively in Windows. Deployment administrators might want to consider add-on solutions to maintain such a record.
+
+### Virtual smart cards on consumer devices used for corporate access
+
+There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that are not joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Windows Store (for example, devices running Windows RT).
+
+You can use APIs that were introduced in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically).
+
+#### TPM ownerAuth in the registry
+
+When a device or computer is not joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that are not protected include:
+
+- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
+
+- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
+
+The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. Policies for automatic lockout can be set while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
+
+For configuration information about the TPM ownerAuth registry key, see the Group Policy setting Configure the level of TPM owner authorization information available to the operating system.
+
+
+
+For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287(v=ws.11).aspx).
+
+#### Managed and unmanaged cards
+
+The following table describes the important differences between managed and unmanaged virtual smart cards that exist on consumer devices:
+
+
+
+| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) |
+|-----------------------------------------|--------------|----|
+| Reset PIN when the user forgets the PIN | Yes | No, the card has to be deleted and created again. |
+| Allow user to change the PIN | Yes | No, the card has to be deleted and created again. |
+
+## Managed cards
+
+A managed virtual smart card can be serviced by the IT administrator or another person in that designated role. It allows the IT administrator to have influence or complete control over specific aspects of the virtual smart card from its creation to deletion. To manage these cards, a virtual smart card deployment management tool is often required.
+
+### Managed card creation
+
+A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool that is run with administrative credentials through an elevated command prompt. This virtual smart card needs to be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option should not be specified).
+
+The following command creates a virtual smart card that can later be managed by a smart card management tool launched from another computer (as explained in the next section):
+
+`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT`
+
+Alternatively, instead of using a default administrator key, a user can enter an administrator key at the command line:
+
+`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT`
+
+In either case, the card management system needs to be aware of the initial administrator key that is used so that it can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when the default value is used, the administrator key is set to:
+
+`10203040506070801020304050607080102030405060708`
+
+For information about using this command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+### Managed card management
+
+After the virtual smart card is created, the user needs to open a remote desktop connection to an enrollment station, for example, in a computer that is joined to the domain. Virtual smart cards that are associated with a client computer are available for use in the remote desktop connection. The user can open a card management tool inside the remote session that can take ownership of the card and provision it for use by the user. This requires that a user is allowed to establish a remote desktop connection from a non-domain-joined computer to a domain-joined computer. This might require a specific network configuration, such as through IPsec policies.
+
+When users need to reset or change a PIN, they need to use the remote desktop connection to complete these operations. They can use the built-in tools for PIN unlock and PIN change or the smart card management tool.
+
+### Certificate management for managed cards
+
+Similar to physical smart cards, virtual smart cards require certificate enrollment.
+
+#### Certificate issuance
+
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card does not need to be installed on the client computer if it is installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+
+Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
+
+#### Certificate lifecycle management
+
+You can renew certificates through remote desktop connections, certificate enrollment policies, or certificate enrollment services. Renewal requirements could be different from the initial issuance requirements, based on the renewal policy.
+
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+
+## Unmanaged cards
+
+Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user’s credentials and he or she must re-enroll.
+
+### Unmanaged card creation
+
+A user can create a virtual smart card by using the Tpmvscmgr command-line tool, which is run with administrative credentials through an elevated command prompt. The following command creates an unmanaged card that can be used to enroll certificates:
+
+`tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate`
+
+This command creates a card with a randomized administrator key. The key is automatically discarded after the creation of the card. If users forget or want to change their PIN, they need to delete the card and create it again. To delete the card, a user can run the following command:
+
+`tpmvscmgr.exe destroy /instance `
+
+where <instance ID> is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000).
+
+### Certificate management for unmanaged cards
+
+Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
+
+#### Requesting the certificate by providing domain credentials only
+
+The simplest way for users to request certificates is to provide their domain credentials through a script that can perform the enrollment through built-in components you have in place for certificate requests.
+
+Alternatively, an application (such as a line-of-business app) can be installed on the computer to perform enrollment by generating a request on the client. The request is submitted to an HTTP server, which can forward it to a registration authority.
+
+Another option is to have the user access an enrollment portal that is available through Internet Explorer. The webpage can use the scripting APIs to perform certificate enrollment.
+
+#### Signing the request with another certificate
+
+You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user.
+
+The user can import the certificate into the **MY** store (which is the user’s certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card.
+
+For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
+
+1. Users initiate a request on a domain-joined computer.
+
+2. Users complete the request by using a physical smart card to sign the request.
+
+3. Users download the request to the virtual smart card on their client computer.
+
+#### Using one-time password for enrollment
+
+Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
+
+#### Certificate lifecycle management
+
+Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
+
+Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available.
+
+## Maintain virtual smart cards
+
+Maintenance is a significant portion of the virtual smart card lifecycle and one of the most important considerations from a management perspective. After virtual smart cards are created, personalized, and provisioned, they can be used for convenient two-factor authentication. Deployment administrators must be aware of several common administrative scenarios, which can be approached by using a purchased virtual smart card solution or on a case-by-case basis with in-house methods.
+
+**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user’s choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair.
+
+When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
+
+**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user’s identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
+
+**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
+
+**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they are no longer needed. When an employee leaves the company, it is desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
+
+The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it is only necessary to revoke the certificates that are stored on the virtual smart card.
+
+### Emergency preparedness
+
+#### Card reissuance
+
+The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card’s privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled.
+
+#### Blocked virtual smart card
+
+The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
+
+## See also
+
+[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+
+[Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+
+[Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+
+[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+
+[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
diff --git a/windows/keep-secure/virtual-smart-card-evaluate-security.md b/windows/keep-secure/virtual-smart-card-evaluate-security.md
new file mode 100644
index 0000000000..ad80b759e0
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-evaluate-security.md
@@ -0,0 +1,61 @@
+---
+title: Evaluate Virtual Smart Card Security (Windows 10)
+description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Evaluate Virtual Smart Card Security
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
+
+## Virtual smart card non-exportability details
+
+A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data.
+
+The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
+
+
+
+The following keys are stored on the hard disk:
+
+- User key
+
+- Smart card key, which is encrypted by the storage root key
+
+- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key
+
+When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user’s key that is stored on the virtual smart card.
+
+The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access.
+
+## Virtual smart card anti-hammering details
+
+The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide very flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism.
+
+The Trusted Computing Group also specifies that if the response to attacks involves suspending proper function of the TPM for some period of time or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. Whatever methodology is chosen by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include:
+
+1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
+
+ > **Note** Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK.
+
+1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
+
+2. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN.
+
+As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following protection:
+
+1. Number of wrong PINs allowed before entering lockout (threshold): 9
+
+2. Time the TPM is in lockout after the threshold is reached: 10 seconds
+
+3. Timed delay doubles for each wrong PIN after the threshold is reached
+
+## See also
+
+[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
diff --git a/windows/keep-secure/virtual-smart-card-get-started.md b/windows/keep-secure/virtual-smart-card-get-started.md
new file mode 100644
index 0000000000..c2d31f8b16
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-get-started.md
@@ -0,0 +1,165 @@
+---
+title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
+description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Get Started with Virtual Smart Cards: Walkthrough Guide
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
+
+Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
+
+This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
+
+**Time requirements**
+
+You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
+
+**Walkthrough steps**
+
+- [Prerequisites](#prerequisites)
+
+- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
+
+- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
+
+- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
+
+> **Important** This basic configuration is for test purposes only. It is not intended for use in a production environment.
+
+## Prerequisites
+
+You will need:
+
+- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0).
+
+- A test domain to which the computer listed above can be joined.
+
+- Access to a server in that domain with a fully installed and running certification authority (CA).
+
+## Step 1: Create the certificate template
+
+On your domain server, you need to create a template for the certificate that you will request for the virtual smart card.
+
+### To create the certificate template
+
+1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
+
+2. Click **File**, and then click **Add/Remove Snap-in**.
+
+ 
+
+3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
+
+ 
+
+4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
+
+5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
+
+ 
+
+6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
+
+ 
+
+7. On the **General** tab:
+
+ 1. Specify a name, such as **TPM Virtual Smart Card Logon**.
+
+ 2. Set the validity period to the desired value.
+
+8. On the **Request Handling** tab:
+
+ 1. Set the **Purpose** to **Signature and smartcard logon**.
+
+ 2. Click **Prompt the user during enrollment**.
+
+9. On the **Cryptography** tab:
+
+ 1. Set the minimum key size to 2048.
+
+ 2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
+
+10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
+
+11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+
+12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
+
+ 
+
+13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+
+14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+
+ 
+
+15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
+
+ > **Note** It can take some time for your template to replicate to all servers and become available in this list.
+
+ 
+
+16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+
+ 
+
+## Step 2: Create the TPM virtual smart card
+
+In this step, you will create the virtual smart card on the client computer by using the command-line tool, [Tpmvscmgr.exe](virtual-smart-card-tpmvscmgr.md).
+
+### To create the TPM virtual smart card
+
+1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
+
+ 
+
+2. At the command prompt, type the following, and then press ENTER:
+
+ `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
+
+ This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
+
+ For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+4. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
+
+## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
+
+The virtual smart card must be provisioned with a sign-in certificate for it to be fully functional.
+
+### To enroll the certificate
+
+1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu.
+
+2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
+
+ 
+
+3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
+
+ 
+
+4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
+
+5. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**.
+
+6. Wait for the enrollment to finish, and then click **Finish**.
+
+The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.
+
+## See also
+
+- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
diff --git a/windows/keep-secure/virtual-smart-card-overview.md b/windows/keep-secure/virtual-smart-card-overview.md
new file mode 100644
index 0000000000..54e8c6f4d2
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-overview.md
@@ -0,0 +1,123 @@
+---
+title: Virtual Smart Card Overview (Windows 10)
+description: This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft, and links to additional topics about virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Virtual Smart Card Overview
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards.
+
+**Did you mean…**
+
+- [Smart Cards](smart-card-windows-smart-card-technical-reference.md)
+
+## Feature description
+
+Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware.
+
+By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
+
+## Practical applications
+
+Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+
+### Authentication use cases
+
+**Two-factor authentication‒based remote access**
+
+After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
+
+In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user’s access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established.
+
+**Client authentication**
+
+Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
+
+**Virtual smart card redirection for remote desktop connections**
+
+The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the remote computer, while maintaining the principles of two-factor authentication.
+
+**Windows To Go and virtual smart cards**
+
+Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the TPM on the physical host computer to which the removable storage device is connected. When the user boots the operating system from a different physical computer, the virtual smart card will not be available. This can be used for scenarios when a single physical computer is shared by many users. Each user can be given a removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way, users are only able to access their personal virtual smart card.
+
+### Confidentiality use cases
+
+**S/MIME email encryption**
+
+Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
+
+**BitLocker for data volumes**
+
+sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult.
+
+BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive.
+
+### Data integrity use case
+
+**Signing data**
+
+To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage.
+
+## New and changed functionality as of Windows 8.1
+
+Enhancements in Windows 8.1 enabled developers to build Windows Store apps to create and manage virtual smart cards.
+
+The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards.
+
+**What value does this change add?**
+
+Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens.
+
+- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with.
+
+- Personalize the virtual smart card.
+
+- Change the admin key.
+
+- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario.
+
+- Change the PIN.
+
+- Reset or Unblock the PIN.
+
+- Destroy the virtual smart card.
+
+**What works differently?**
+
+Starting with Windows 8.1, Windows Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
+
+For more information about developing Windows Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
+
+For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
+
+## Hardware requirements
+
+To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10 or Windows Server 2016.
+
+## Software requirements
+
+To use the virtual smart card technology, computers must be running one of the following operating systems:
+
+- Windows Server 2016
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows 10
+- Windows 8.1
+- Windows 8
+
+## See also
+
+- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
diff --git a/windows/keep-secure/virtual-smart-card-tpmvscmgr.md b/windows/keep-secure/virtual-smart-card-tpmvscmgr.md
new file mode 100644
index 0000000000..d66bd95806
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-tpmvscmgr.md
@@ -0,0 +1,84 @@
+---
+title: Tpmvscmgr (Windows 10)
+description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Tpmvscmgr
+
+Applies To: Windows 10, Windows Server 2016
+
+The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples).
+
+## Syntax
+
+`Tpmvscmgr create [/quiet] /name /AdminKey {DEFAULT | PROMPT | RANDOM} [/PIN {DEFAULT | PROMPT}] [/PUK {DEFAULT | PROMPT}] [/generate] [/machine ] [/pinpolicy [policy options]] [/attestation {AIK_AND_CERT | AIK_ONLY}] [/?]`
+
+`Tpmvscmgr destroy [/quiet] [/instance ] [/machine ] [/?]`
+
+### Parameters for Create command
+
+The Create command sets up new virtual smart cards on the user’s system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card.
+
+| Parameter | Description |
+|-----------|-------------|
+| /name | Required. Indicates the name of the new virtual smart card. |
+| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN. **DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708. **PROMPT** Prompts the user to enter a value for the administrator key. **RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
+| /PIN | Indicates desired user PIN value. **DEFAULT** Specifies the default PIN of 12345678. **PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
+| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK. **DEFAULT** Specifies the default PUK of 12345678. **PROMPT** Prompts the user to enter a PUK at the command line. |
+| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft System Center Configuration Manager. |
+| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
+| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options: **minlen** <minimum PIN length> If not specificed, defaults to 8. The lower bound is 4. **maxlen** <maximum PIN length> If not specificed, defaults to 127. The upper bound is 127. **uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.** **specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
+| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are: **AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail. **AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
+| /? | Displays Help for this command. |
+
+### Parameters for Destroy command
+
+The Destroy command securely deletes a virtual smart card from a computer.
+
+> [!WARNING]
+> When a virtual smart card is deleted, it cannot be recovered.
+
+| **Parameter** | **Description** |
+|---------------|-------------------|
+| /instance | Specifies the instance ID of the virtual smart card to be removed. The instanceID was generated as output by Tpmvscmgr.exe when the card was created. The **/instance** parameter is a required field for the Destroy command. |
+| /machine | Allows you to specify the name of a remote computer on which the virtual smart card will be deleted. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in deleting a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
+| /? | Displays Help for this command. |
+
+## Remarks
+
+Membership in the Administrators group (or equivalent) on the target computer is the minimum required to run all the parameters of this command.
+
+For alphanumeric inputs, the full 127 character ASCII set is allowed.
+
+## Examples
+
+The following command shows how to create a virtual smart card that can be later managed by a smart card management tool launched from another computer.
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT
+
+Alternatively, instead of using a default administrator key, you can create an administrator key at the command line. The following command shows how to create an administrator key.
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT
+
+The following command will create the unmanaged virtual smart card that can be used to enroll certificates.
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate
+
+The preceding command will create a virtual smart card with a randomized administrator key. The key is automatically discarded after the card is created. This means that if the user forgets the PIN or wants to the change the PIN, the user needs to delete the card and create it again. To delete the card, the user can run the following command.
+
+ tpmvscmgr.exe destroy /instance
+
+where <instance ID> is the value printed on the screen when the user created the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000.
+
+The following command will create a TPM virtual smart card with the default value for the administrator key and a specified PIN policy and attestation method:
+
+ tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
+
+## Additional references
+
+- [Virtual Smart Card Overview](virtual-smart-card-overview.md)
diff --git a/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md b/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md
new file mode 100644
index 0000000000..f32fddbf0b
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-understanding-and-evaluating.md
@@ -0,0 +1,136 @@
+---
+title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
+description: This topic for IT professional provides information about how smart card technology can fit into your authentication design, and provides links to additional topics about virtual smart cards.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Understanding and Evaluating Virtual Smart Cards
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
+
+Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
+
+Virtual smart cards are functionally similar to physical smart cards. They appear as always-inserted smart cards, and they can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. Because TPM-enabled hardware is readily available and virtual smart cards can be easily deployed by using existing certificate enrollment methods, virtual smart cards can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+
+This topic contains the following sections:
+
+- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
+ Compares properties, functional aspects, security, and cost.
+
+- [Authentication design options](#authentication-design-options):
+ Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
+
+- [See also](#see-also):
+ Links to other topics that can help you design, deploy, and troubleshoot virtual smart cards.
+
+## Comparing virtual smart cards with physical smart cards
+
+Virtual smart cards function much like physical smart cards, but they differ in that they protect private keys by using the TPM of the computer instead of smart card media.
+
+A virtual smart card appears to applications as a conventional smart card. Private keys in the virtual smart card are protected, not by isolation of physical memory, but by the cryptographic capabilities of the TPM. All sensitive information is encrypted by using the TPM and then stored on the hard drive in its encrypted form.
+
+All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user will not be able to access keys that are stored in the virtual smart card because they are securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption.
+
+Virtual smart cards maintain the three key properties of physical smart cards:
+
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
+
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
+ For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+
+The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
+
+**Functionality**
+
+The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user’s virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
+
+The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
+
+Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
+
+**Security**
+
+Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
+
+TPM virtual smart cards, however, reside on a user’s computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
+
+However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
+
+**Cost**
+
+If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
+
+Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
+
+**Comparison summary**
+
+| Physical Smart Cards | TPM virtual smart cards |
+|---------------------|-------------------|
+| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
+| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
+| Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
+| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user’s computer or device. |
+| Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
+| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. |
+| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
+| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
+| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user’s computer, which may be left unattended and allow a greater risk window for hammering attempts. |
+| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
+| Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
+| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
+| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user’s sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. |
+
+## Authentication design options
+
+The following section presents several commonly used options and their respective strengths and weaknesses, which organizations can consider for authentication.
+
+**Passwords**
+
+A password is a secret string of characters that is tied to the identification credentials for a user’s account. This establishes the user’s identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
+
+Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user’s password and impersonate that person’s identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained.
+
+**One-time passwords**
+
+A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user’s OTP, the interceptor will have limited access to the system (only one session).
+
+**Smart cards**
+
+Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
+
+- **Non-exportability**: Information stored on the card, such as the user’s private keys, cannot be extracted from one device and used in another medium.
+
+- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions.
+
+- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken.
+
+Smart cards provide greatly enhanced security over passwords alone, because it is much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN.
+
+Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone.
+
+Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen.
+
+**Virtual smart cards**
+
+To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers.
+
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user’s possession of a computer or device is equivalent to the possession of a smart card, and a user’s identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
+
+## See also
+
+- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md)
+
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+
+- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
diff --git a/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md b/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md
new file mode 100644
index 0000000000..6dfa73df29
--- /dev/null
+++ b/windows/keep-secure/virtual-smart-card-use-virtual-smart-cards.md
@@ -0,0 +1,95 @@
+---
+title: Use Virtual Smart Cards (Windows 10)
+description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: Justinha
+---
+
+# Use Virtual Smart Cards
+
+Applies To: Windows 10, Windows Server 2016
+
+This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
+
+## Requirements, restrictions, and limitations
+
+| Area | Requirements and details |
+|-------------|---------------------------|
+| Supported operating systems | Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows 10 Windows 8.1 Windows 8 |
+| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note** You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them. |
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters. The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+
+## Using Tpmvscmgr.exe
+
+To create and delete TPM virtual smart cards for end users, the Tpmvscmgr command-line tool is included as a command-line tool with the operating system. You can use the **Create** and **Delete** parameters to manage virtual smart cards on local or remote computers. For information about using this tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
+
+## Create and delete virtual smart cards programmatically
+
+Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
+
+- [TpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707171(v=vs.85).aspx)
+
+- [RemoteTpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707166(v=vs.85).aspx)
+
+- [ITpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707160(v=vs.85).aspx)
+
+- [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx)
+
+You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
+
+The following table describes the features that can be developed in a Windows Store app:
+
+| Feature | Physical Smart Card | Virtual Smart Card |
+|----------------------------------------------|---------------------|--------------------|
+| Query and monitor smart card readers | Yes | Yes |
+| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
+| Verify if the administrative key of a card is correct | Yes | Yes |
+| Provision (or reformat) a card with a given card ID | Yes | Yes |
+| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
+| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
+| Create a virtual smart card | Not applicable | Yes |
+| Delete a virtual smart card | Not applicable | Yes |
+| Set PIN policies | No | Yes |
+
+For more information about these Windows APIs, see:
+
+- [Windows.Devices.SmartCards namespace (Windows)](https://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspx)
+
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](https://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx)
+
+## Distinguishing TPM-based virtual smart cards from physical smart cards
+
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
+
+
+
+A TPM-based virtual smart card is labeled **Security Device** in the user interface.
+
+## Changing the PIN
+
+The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**.
+
+## Resolving issues
+
+### TPM not provisioned
+
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+
+If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
+
+If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
+
+If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
+
+### TPM in lockout state
+
+Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool.
+
+## See also
+
+For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
diff --git a/windows/keep-secure/vpn-name-resolution.md b/windows/keep-secure/vpn-name-resolution.md
index d9a7d32a58..a167777105 100644
--- a/windows/keep-secure/vpn-name-resolution.md
+++ b/windows/keep-secure/vpn-name-resolution.md
@@ -21,11 +21,11 @@ The name resolution setting in the VPN profile configures how name resolution sh
## Name Resolution Policy table (NRPT)
-The NRPT is a table of namespaces that determines the DNS client’s havior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
+The NRPT is a table of namespaces that determines the DNS client’s behavior when issuing name resolution queries and processing responses. It is the first place that the stack will look after the DNSCache.
There are 3 types of name matches that can set up for NRPT:
-- Fully qualified domain name (FQDN) that can used for direct matching to a name
+- Fully qualified domain name (FQDN) that can be used for direct matching to a name
- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (in case of a short name)
diff --git a/windows/keep-secure/vpn-routing.md b/windows/keep-secure/vpn-routing.md
index 5065c6aaa5..3372161696 100644
--- a/windows/keep-secure/vpn-routing.md
+++ b/windows/keep-secure/vpn-routing.md
@@ -23,7 +23,7 @@ In a split tunnel configuration, routes can be specified to go over VPN and all
Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
-For each route item in the list the following can be specified:
+For each route item in the list, the following can be specified:
- **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
- **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
@@ -37,11 +37,11 @@ Routes can also be added at connect time through the server for UWP VPN apps.
In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified.
-The only implication of this setting is the manipulation of routing entries. In the case of a force Tunnel VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower Metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the Physical Interface itself.
+The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn’t a specific route on the physical interface itself.
For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
-For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in passes only 2 include routes (default route for both v4 and v6), the Windows VPN Platform marks the VPN as force tunnel.
+For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in indicates the default route for IPv4 and IPv6 as the only two Inclusion routes, the VPN platform marks the connection as Force Tunneled.
## Configure routing
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index 5ad7eddc7a..6333401752 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
#### Introduction
Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
-- [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
+- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello for Business, which better protects user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials.
- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
@@ -50,10 +50,10 @@ Table 1. Windows 10 solutions to typical access control challenges
Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.
Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.
-
Windows Hello on biometric-capable devices and Microsoft Passport enable simpler MFA.
+
Windows Hello for Business enables simpler MFA.
-
Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard. Windows Hello enables secure facial recognition–based authentication.
+
Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard.
Windows Hello enables secure facial recognition–based authentication.
@@ -62,7 +62,7 @@ Table 1. Windows 10 solutions to typical access control challenges
Users dislike typing their passwords.
-
Single sign-on (SSO) allows users to sign in once with their Microsoft Passport and get access to all corporate resources without the need to re-authenticate.
+
Single sign-on (SSO) allows users to sign in once with Windows Hello and get access to all corporate resources without the need to re-authenticate.
Windows Hello enables secure fingerprint- and facial recognition–based authentication and can be used to revalidate user presence when sensitive resources are accessed.
@@ -74,36 +74,39 @@ Table 1. Windows 10 solutions to typical access control challenges
The sections that follow describe these challenges and solutions in more detail.
-### Microsoft Passport
+### Windows Hello
-Microsoft Passport provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or Windows Hello. Microsoft Passport is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware.
-Unlike smart cards, Microsoft Passport does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Microsoft Passport. Microsoft Passport combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks.
+Windows Hello provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or biometric gesture. Windows Hello is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware.
+Unlike smart cards, Windows Hello does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Windows Hello. Windows Hello combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks.
-Microsoft Passport offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
+>[!NOTE]
+>When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+
+Windows Hello offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
#### It’s flexible
-Microsoft Passport offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
+Windows Hello offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Windows Hello gives both administrators and users options to manage authentication. First and foremost, Windows Hello works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
-Microsoft Passport gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Microsoft Passport enables PIN- and biometrics-based authentication through Windows Hello to securely identify users.
+MWindows Hello gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Windows Hello enables PIN- and biometrics-based authentication to securely identify users.
-With Microsoft Passport, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Microsoft Passport builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport to your network. The choice of which users to enable for Microsoft Passport use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems.
+With Windows Hello for Business, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Windows Hello for Business builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Windows Hello for Business to your network. The choice of which users to enable for Windows Hello for Business use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Windows Hello for Business to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Windows Hello for Business in scenarios that call for extra protection for sensitive resources or systems.
#### It’s standardized
Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
-In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
+In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
#### It’s effective
-Microsoft Passport effectively mitigates two major security risks. First, it eliminates the use of passwords for logon and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Microsoft Passport uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+Windows Hello effectively mitigates two major security risks. First, it eliminates the use of passwords for sign-in and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Windows Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
-To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
-### Windows Hello
+### Biometric sign-in
-Windows Hello is the name given to the new biometric sign-in option for Microsoft Passport. Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself.
+Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself.
The user’s biometric data that is used for Windows Hello is considered a local gesture and consequently doesn’t roam among a user’s devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile.
@@ -269,7 +272,6 @@ For more information about how to configure Network Unlock, see [BitLocker: How
### Microsoft BitLocker Administration and Monitoring
->>>>>>> refs/remotes/origin/master
Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
@@ -436,7 +438,7 @@ The functionality a TPM provides includes:
Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.
-Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
+Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
@@ -451,7 +453,7 @@ Several Windows 10 security features require TPM:
* Health attestation (requires TPM 2.0 or later)
* InstantGo (requires TPM 2.0 or later)
-Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Microsoft Passport.
+Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Windows Hello for Business.
All of these features are covered in this document.
@@ -576,7 +578,7 @@ The core functionality and protection of Device Guard starts at the hardware lev
Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place.
-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
+Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section.
#### Device Guard with AppLocker
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 9b54a7e5a7..e82ec6f3d5 100644
--- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -36,7 +36,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and
| Section | Description |
| - | - |
-| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
+| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 71157f3110..54af0df920 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -9,7 +9,7 @@
### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-### [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md
index ec263eede3..e228b7bbba 100644
--- a/windows/manage/app-inventory-management-windows-store-for-business.md
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@@ -209,6 +209,19 @@ For each app in your inventory, you can view and manage license details. This gi
Store for Business updates the list of assigned licenses.
+### Purchase additional licenses
+You can purchase additional licenses for apps in your Inventory.
+
+**To purchase additional app licenses**
+
+1. Sign in to [Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845)
+2. Click **Manage**, and then choose **Inventory**.
+3. From **Inventory**, click an app.
+4. On the app page, click **View app details**.
+5. From this page, click **Buy more** for additional licenses, or click **Manage** to work with your current licenses.
+
+You'll have a summary of current license availability.
+
### Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
diff --git a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 467da82dda..fac7e4b9ae 100644
--- a/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -16,7 +16,7 @@ ms.prod: w10
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
-- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-powershell-cmdlets-to-create-user-entitled-connection-groups)
+- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups)
- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups)
diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
index c492e3a97e..35d5d237ef 100644
--- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@@ -243,7 +243,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
**Note**
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
- The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-XML-file), later in this topic.
+ The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
diff --git a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
index ca8397a1fe..21632ad793 100644
--- a/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/manage/appv-deploying-the-appv-sequencer-and-client.md
@@ -80,7 +80,7 @@ Set-AppvClientConfiguration -SharedContentStoreMode 1
The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
-For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md).
To deploy the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
diff --git a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 2c29e70fd9..e9021103ab 100644
--- a/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/manage/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -75,9 +75,9 @@ Review the following requirements for using the Windows PowerShell cmdlets:
To configure these cmdlets to require an elevated command prompt, use one of the following methods:
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
-
For more information, see: [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md#bkmk-admin-only-posh-topic-cg) [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
+
For more information, see: [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md#bkmk-admin-pub-pkg-only-posh)
+
For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)
diff --git a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 3d52191607..a17b12ea73 100644
--- a/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -20,15 +20,15 @@ A connection group XML file defines the connection group for the App-V client. F
This topic explains the following procedures:
-- [To add and publish the App-V packages in the connection group](#bkmk-add-pub-pkgs-in-cg)
+- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)
-- [To add and enable the connection group on the App-V client](#bkmk-add-enable-cg-on-clt)
+- [To add and enable the connection group on the App-V client](#to-add-and-enable-the-connection-group-on-the-app-v-client)
-- [To enable or disable a connection group for a specific user](#bkmk-enable-cg-for-user-poshtopic)
+- [To enable or disable a connection group for a specific user](#to-enable-or-disable-a-connection-group-for-a-specific-user)
-- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
+- [To allow only administrators to enable connection groups](#to-allow-only-administrators-to-enable-connection-groups)
-**To add and publish the App-V packages in the connection group**
+## To add and publish the App-V packages in the connection group
1. To add and publish the App-V packages to the computer running the App-V client, type the following command:
@@ -36,7 +36,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
-**To add and enable the connection group on the App-V client**
+## To add and enable the connection group on the App-V client
1. Add the connection group by typing the following command:
@@ -48,7 +48,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
-**To enable or disable a connection group for a specific user**
+## To enable or disable a connection group for a specific user
1. Review the parameter description and requirements:
@@ -89,9 +89,7 @@ This topic explains the following procedures:
-
-
-**To allow only administrators to enable connection groups**
+## To allow only administrators to enable connection groups
1. Review the description and requirement for using this cmdlet:
diff --git a/windows/manage/appv-modify-an-existing-virtual-application-package.md b/windows/manage/appv-modify-an-existing-virtual-application-package.md
index 5c84ac6d8d..38224bb8bb 100644
--- a/windows/manage/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/manage/appv-modify-an-existing-virtual-application-package.md
@@ -16,11 +16,11 @@ ms.prod: w10
This topic explains how to:
-- [Update an application in an existing virtual application package](#bkmk-update-app-in-pkg)
+- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)
-- [Modify the properties associated with an existing virtual application package](#bkmk-chg-props-in-pkg)
+- [Modify the properties associated with an existing virtual application package](#modify-the-properties-associated-with-an-existing-virtual-application-package)
-- [Add a new application to an existing virtual application package](#bkmk-add-app-to-pkg)
+- [Add a new application to an existing virtual application package](#add-a-new-application-to-an-existing-virtual-application-package)
**Before you update a package:**
@@ -32,7 +32,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
-**Update an application in an existing virtual application package**
+## Update an application in an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -47,25 +47,17 @@ This topic explains how to:
**Important**
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
-
-
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
- **Note**
- The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
+ >**Note** The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
- **Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
-
-
+ >**Note** You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
@@ -73,7 +65,8 @@ This topic explains how to:
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
-**Modify the properties associated with an existing virtual application package**
+
+## Modify the properties associated with an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -109,14 +102,11 @@ This topic explains how to:
- Add or edit shortcuts and file type associations.
- **Note**
- To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
-
-
+ >**Note** To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
6. When you finish changing the package properties, click **File** > **Save** to save the package.
-**Add a new application to an existing virtual application package**
+## Add a new application to an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@@ -128,19 +118,13 @@ This topic explains how to:
5. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**.
- **Important**
- If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
-
-
+ >**Important** If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
- **Note**
- The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
-
-
+ >**Note** The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
@@ -152,10 +136,7 @@ This topic explains how to:
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
- **Note**
- You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
-
-
+ >**Note** You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.
diff --git a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
index bd7f629151..07c1f7c438 100644
--- a/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/manage/appv-planning-for-sequencer-and-client-deployment.md
@@ -21,7 +21,7 @@ Before you can use App-V, you must install the App-V Sequencer, enable the App-V
App-V uses a process called sequencing to create virtualized applications and application packages. Sequencing requires the use of a computer that runs the App-V Sequencer.
> [!NOTE]
-> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md#bkmk-seqimprove).
+> For information about the new functionality of App-V sequencer, see [What's new in App-V](appv-about-appv.md).
The computer that runs the App-V sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V Supported Configurations](appv-supported-configurations.md).
diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md
index 46907201bd..bd79da1f4f 100644
--- a/windows/manage/appv-planning-for-using-appv-with-office.md
+++ b/windows/manage/appv-planning-for-using-appv-with-office.md
@@ -26,15 +26,14 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
## App-V support for Language Packs
-You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
+You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
**Note**
Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
-
-
## Supported versions of Microsoft Office
+
The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
@@ -55,7 +54,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
-
Office 365 ProPlus
+
Office 365 ProPlus (either the Office 2013 or the Office 2016 version)
Also supported:
Visio Pro for Office 365
@@ -71,6 +70,22 @@ The following table lists the versions of Microsoft Office that App-V supports,
+
+
Visio Professional 2016 (C2R-P)
+
Visio Standard 2016 (C2R-P)
+
Project Professional 2016 (C2R-P)
+
Project Standard 2016 (C2R-P)
+
+
Office Deployment Tool
+
Volume Licensing
+
+
Desktop
+
Personal VDI
+
Pooled VDI
+
RDS
+
+
+
Office Professional Plus 2013
Also supported:
@@ -89,12 +104,9 @@ The following table lists the versions of Microsoft Office that App-V supports,
-
-
## Planning for using App-V with coexisting versions of Office
-
-You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSi) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
+You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSI) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
Microsoft’s recommended best practice is to avoid Office coexistence completely to prevent compatibility issues. However, when you are migrating to a newer version of Office, issues occasionally arise that can’t be resolved immediately, so you can temporarily implement coexistence to help facilitate a faster migration to the latest product version. Using Office coexistence on a long-term basis is never recommended, and your organization should have a plan to fully transition in the immediate future.
@@ -115,19 +127,22 @@ Before implementing Office coexistence, review the following Office documentatio
+
Office 2016
+
[Information about how to use Outlook 2016 or 2013 and an earlier version of Outlook installed on the same computer](https://support.microsoft.com/kb/2782408)
+
+
Office 2013
[Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)
-
+
Office 2010
[Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)
-
-The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
+The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
### Supported Office coexistence scenarios
@@ -166,11 +181,13 @@ The Windows Installer-based and Click-to-Run Office installation methods integra
Office 2013
Always integrated. Windows operating system integrations cannot be disabled.
+
+
Office 2016
+
Always integrated. Windows operating system integrations cannot be disabled.
+
-
-
Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069).
### Known limitations of Office coexistence scenarios
@@ -183,9 +200,9 @@ The following limitations can occur when you install the following versions of O
- Office 2010 by using the Windows Installer-based version
-- Office 2013 by using App-V
+- Office 2013 or Office 2016 by using App-V
-After you publish Office 2013 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010 might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
+After you publish Office 2013 or Office 2016 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010, it might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
To bypass the auto-registration operation for native Word 2010, follow these steps:
@@ -215,12 +232,13 @@ To bypass the auto-registration operation for native Word 2010, follow these ste
8. On the File menu, click **Exit** to close Registry Editor.
+
+
## How Office integrates with Windows when you use App-V to deploy Office
+When you deploy Office 2013 or Office 2016 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
-When you deploy Office 2013 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
-
-The Office 2013 App-V package supports the following integration points with the Windows operating system:
+The Office 2013 or Office 2016 App-V package supports the following integration points with the Windows operating system:
@@ -235,8 +253,8 @@ The Office 2013 App-V package supports the following integration points with the
-
Lync meeting Join Plug-in for Firefox and Chrome
-
User can join Lync meetings from Firefox and Chrome
+
Skype for Business (formerly Lync) meeting Join Plug-in for Firefox and Chrome
+
User can join Skype meetings from Firefox and Chrome
Sent to OneNote Print Driver
@@ -251,8 +269,8 @@ The Office 2013 App-V package supports the following integration points with the
User can send to OneNote from IE
-
Firewall Exception for Lync and Outlook
-
Firewall Exception for Lync and Outlook
+
Firewall Exception for Skype for Business (formerly Lync) and Outlook
+
Firewall Exception for Skype for Business (formerly Lync) and Outlook
MAPI Client
@@ -307,6 +325,6 @@ Add or vote on suggestions on the [Application Virtualization feedback site](htt
## Related topics
+- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
-
- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 56fb55ced0..cf1b406e61 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -12,6 +12,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## November 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Windows 10 IoT Mobile |
+
## October 2016
| New or changed topic | Description |
@@ -19,7 +25,9 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Manage device restarts after updates](waas-restart.md) | New |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
+| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
+| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
## September 2016
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index 87818ca231..3bb9df599b 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -201,7 +201,7 @@ The data gathered at this level includes:
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
- > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+ > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
diff --git a/windows/manage/connect-to-remote-aadj-pc.md b/windows/manage/connect-to-remote-aadj-pc.md
index 1c58be856c..b05c575380 100644
--- a/windows/manage/connect-to-remote-aadj-pc.md
+++ b/windows/manage/connect-to-remote-aadj-pc.md
@@ -32,7 +32,10 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
- 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users, click **Select Users**.
+ 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
+ >[!NOTE]
+ >You cannot specify individual Azure AD accounts for remote connections.
+
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index d0d6b868e6..80e8f90299 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -67,7 +67,7 @@ The GPO applies the Start and taskbar layout at the next user sign-in. Each time
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
-The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start and the taskbar are not customized during the session, and the user can make changes to Start.
+The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users’ computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar.
For information about deploying GPOs in a domain, see [Working with Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620889).
diff --git a/windows/manage/images/waas-rings.png b/windows/manage/images/waas-rings.png
index a5446f3dff..041a59ce87 100644
Binary files a/windows/manage/images/waas-rings.png and b/windows/manage/images/waas-rings.png differ
diff --git a/windows/manage/images/waas-wufb-gp-cb2-settings.png b/windows/manage/images/waas-wufb-gp-cb2-settings.png
index bba58927d9..ae6ed4d856 100644
Binary files a/windows/manage/images/waas-wufb-gp-cb2-settings.png and b/windows/manage/images/waas-wufb-gp-cb2-settings.png differ
diff --git a/windows/manage/images/waas-wufb-gp-cbb2-settings.png b/windows/manage/images/waas-wufb-gp-cbb2-settings.png
index 7d8358f20b..e5aff1cc89 100644
Binary files a/windows/manage/images/waas-wufb-gp-cbb2-settings.png and b/windows/manage/images/waas-wufb-gp-cbb2-settings.png differ
diff --git a/windows/manage/images/waas-wufb-gp-scope.png b/windows/manage/images/waas-wufb-gp-scope.png
index e6fe366c29..a04d8194df 100644
Binary files a/windows/manage/images/waas-wufb-gp-scope.png and b/windows/manage/images/waas-wufb-gp-scope.png differ
diff --git a/windows/manage/images/waas-wufb-intune-cbb2a.png b/windows/manage/images/waas-wufb-intune-cbb2a.png
index 23276c4659..a980e0e43a 100644
Binary files a/windows/manage/images/waas-wufb-intune-cbb2a.png and b/windows/manage/images/waas-wufb-intune-cbb2a.png differ
diff --git a/windows/manage/images/waas-wufb-intune-step11a.png b/windows/manage/images/waas-wufb-intune-step11a.png
index 48db2f63af..7291484c93 100644
Binary files a/windows/manage/images/waas-wufb-intune-step11a.png and b/windows/manage/images/waas-wufb-intune-step11a.png differ
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index eae687dfc0..969c7bc490 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -83,7 +83,7 @@ An added work account provides the same SSO experience in browser apps like Offi
- **Windows Hello**
- Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policiesusing controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
+ Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
- **Conditional access**
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 282c9805d9..936ed8c310 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -385,7 +385,7 @@ For a list of the settings and quick actions that you can allow or block, see [S
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
- [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
+ [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown).
In the XML file, you define each role with a GUID and name, as shown in the following example:
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 6bffe0f171..ca86b2cd46 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -73,7 +73,7 @@ See the following table for a summary of the management settings for Windows 10
| [14. OneDrive](#bkmk-onedrive) | |  | |  | |
| [15. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
| [16. Settings > Privacy](#bkmk-settingssection) | | | | | |
-| [16.1 General](#bkmk-priv-general) |  |  |  |  | |
+| [16.1 General](#bkmk-general) |  |  |  |  | |
| [16.2 Location](#bkmk-priv-location) |  |  |  | | |
| [16.3 Camera](#bkmk-priv-camera) |  |  |  | | |
| [16.4 Microphone](#bkmk-priv-microphone) |  |  | | | |
@@ -119,7 +119,7 @@ See the following table for a summary of the management settings for Windows Ser
| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | |
| [14. OneDrive](#bkmk-onedrive) | |  | | |
| [16. Settings > Privacy](#bkmk-settingssection) | | | | |
-| [16.1 General](#bkmk-priv-general) |  |  |  | |
+| [16.1 General](#bkmk-general) |  |  |  | |
| [17. Software Protection Platform](#bkmk-spp) | |  | | |
| [19. Teredo](#bkmk-teredo) | |  | |  |
| [21. Windows Defender](#bkmk-defender) | |  |  | |
@@ -835,7 +835,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/
-or-
-- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
+- Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero).
### 16.7 Account info
@@ -1359,4 +1359,4 @@ You can turn off automatic updates by doing one of the following. This is not re
To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.
\ No newline at end of file
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.
diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
index a16db53590..0d3374fbca 100644
--- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@@ -42,7 +42,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like Microsoft Intune.
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx).
diff --git a/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
index 888c3b7ee1..ea6d910cb6 100644
--- a/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/manage/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -246,4 +246,4 @@ Add or vote on suggestions on the [User Experience Virtualization feedback site]
[Administering UE-V](uev-administering-uev.md)
-[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md#deploycatalogue)
+[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md)
\ No newline at end of file
diff --git a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
index e18bff1e74..a0b3bf91d3 100644
--- a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -18,7 +18,6 @@ After you deploy User Experience Virtualization (UE-V) and its required features
## UE-V Configuration Pack supported features
-
The UE-V Configuration Pack includes tools to:
- Create or update UE-V settings location template distribution baselines
@@ -103,10 +102,9 @@ It might be necessary to change the PowerShell execution policy to allow these s
1. Select **Administration > Client Settings > Properties**
2. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass**
-
-**Create the first UE-V policy configuration item**
+**Create the first UE-V policy configuration item**
1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console:
@@ -173,8 +171,7 @@ It might be necessary to change the PowerShell execution policy to allow these s
3. Reimport the CAB file. The version in ConfigMgr will be updated.
-## Generate a UE-V Template Baseline
-
+## Generate a UE-V Template Baseline
UE-V templates are distributed using a baseline containing multiple configuration items. Each configuration item contains the discovery and remediation scripts needed to install one UE-V template. The actual UE-V template is embedded within the remediation script for distribution using standard Configuration Item functionality.
diff --git a/windows/manage/uev-for-windows.md b/windows/manage/uev-for-windows.md
index 1f4eaab35c..8702b65318 100644
--- a/windows/manage/uev-for-windows.md
+++ b/windows/manage/uev-for-windows.md
@@ -54,7 +54,7 @@ Use these UE-V components to create and manage custom templates for your third-p
| Component | Description |
|-------------------------------|---------------|
| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor. With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
-| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior. If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md#deploycatalogue). |
+| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior. If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md).|