diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
index 7f9d9778a9..9626e4deb5 100644
--- a/bcs/support/microsoft-365-business-faqs.md
+++ b/bcs/support/microsoft-365-business-faqs.md
@@ -5,9 +5,10 @@ author: CelesteDG
ms.author: celested
ms.topic: article
ms.prod: microsoft-365-business
+ms.localizationpriority: high
audience: microsoft-business
keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
-ms.date: 07/10/2017
+ms.date: 08/04/2017
---
# Microsoft 365 Business Frequently Asked Questions
@@ -147,7 +148,7 @@ Who has access to the Microsoft 365 Business preview?
The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
I’m an existing Office 365 customer. Can I access the Microsoft 365 Business preview?
---------------------------------------------------------------------------------------
+-------------------------------------------------------------------------------------
Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
@@ -185,8 +186,9 @@ Is there any charge for the Microsoft 365 Business preview?
No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
I’m an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
+------------------------------------------------------------------------------------------------------------------------------------------
-Customers will continue to be charged for any active Office 365 plan to which they are subscribed.
+The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
What is the best way to deploy Microsoft 365 Business in my organization?
--------------------------------------------------------------------------
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index bcbb474550..699111447d 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -28,7 +28,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
-| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
+| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 5aea9119f6..e1c9c918d3 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 07/28/2017
+ms.date: 08/07/2017
---
# Take a Test app technical reference
@@ -51,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
+## Group Policy
+
+To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
+
+| Functionality | Group Policy path | Policy |
+| --- | --- | --- |
+| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
+| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
+| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
+| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
+| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
+
## Allowed functionality
When Take a Test is running, the following functionality is available to students:
@@ -75,26 +87,6 @@ When Take a Test is running, the following functionality is available to student
- Ctrl+Alt+Del
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
-## Policies
-
-If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
-
-**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\
-**Group Policy name:** Do not display the lock screen
-**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml
-**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx
-
-```
-
-
-
-
-```
-
## Learn more
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 70c9420c31..f84864aaaf 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 08/01/2017
+ms.date: 08/07/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@@ -77,8 +77,36 @@ Make sure all drivers are installed and working properly on your device running
Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer.
+
+
+| | | |
+| - | - | - |
+|
Acer |
American Future Tech |
Asus |
+|
Atec |
Axdia |
Casper |
+|
Cyberpower |
Daewoo |
Daten |
+|
Fujitsu |
Global K |
HP |
+|
LANIT Trading |
Lenovo |
LG |
+|
MCJ |
Micro P/Exertis |
Microsoft |
+|
MSI |
Panasonic |
Positivo SA |
+|
Positivo da Bahia |
Samsung |
Tongfang |
+|
Toshiba |
Trekstor |
Trigem |
+|
Vaio |
Wortmann |
+
+
> [!NOTE]
-> We'll update this section with more information so check back again soon.
+> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
> [!div class="nextstepaction" style="center"]
> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
index bfe000fee3..574338d185 100644
--- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
+++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
@@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("BitLocker Encryption Details"),
SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers
[ SMS_Report (TRUE) ]
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")]
@@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Operating System Ex"),
SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Computer System Ex"),
SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
@@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("BitLocker Encryption Details"),
SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers
string EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Operating System Ex"),
SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Computer System Ex"),
SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index 832f226de7..bef23c5b02 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -42,8 +42,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
//===================================================
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@@ -75,8 +75,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@@ -137,8 +137,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@@ -149,8 +149,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
uint32 SKU;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
@@ -181,8 +181,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@@ -214,8 +214,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@@ -276,8 +276,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy_64
{
@@ -338,8 +338,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@@ -350,8 +350,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
uint32 SKU;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
diff --git a/windows/access-protection/credential-guard/images/credguard-gp.png b/windows/access-protection/credential-guard/images/credguard-gp.png
index 8c91b114df..827121f0fc 100644
Binary files a/windows/access-protection/credential-guard/images/credguard-gp.png and b/windows/access-protection/credential-guard/images/credguard-gp.png differ
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index 7bef51c2dd..92e5039334 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -18,6 +18,6 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| New or changed topic | Description |
| --- | --- |
| [Service Host process refactoring](svchost-service-refactoring.md) | New |
-| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
+| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index 4c1cd713d1..d6c32fbe93 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
**Applies to**
- Windows 10
-Learn about managing applications in Window 10 and Windows 10 Mobile clients.
+Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
| Topic | Description |
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 4dbf9db55b..f586df7407 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -203,6 +203,7 @@
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [Licensing](policy-csp-licensing.md)
+#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [Location](policy-csp-location.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ff7ed8e468..ddbd9bfab8 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/28/2017
+ms.date: 08/04/2017
---
# What's new in MDM enrollment and management
@@ -969,10 +969,34 @@ For details about Microsoft mobile device management protocols for Windows 10 s
[Policy CSP](policy-configuration-service-provider.md) |
Added the following new policies for Windows 10, version 1709:
-- CredentialProviders/EnableWindowsAutoPilotResetCredentials
+- CredentialProviders/DisableAutomaticReDeploymentCredentials
- DeviceGuard/EnableVirtualizationBasedSecurity
- DeviceGuard/RequirePlatformSecurityFeatures
- DeviceGuard/LsaCfgFlags
+- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
+- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
+- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
+- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
+- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
+- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
+- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
+- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
+- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
+- LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
+- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
+- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
+- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
+- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
+- LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
+- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
+- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
+- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
+- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
+- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
+- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
+- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
- Power/DisplayOffTimeoutOnBattery
- Power/DisplayOffTimeoutPluggedIn
- Power/HibernateTimeoutOnBattery
@@ -1280,6 +1304,58 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### August 2017
+
+
+
+
+
+
+
+
+
+
+
+| [CM\_CellularEntries CSP](cm-cellularentries-csp.md) |
+Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
+ |
+
+| [Policy CSP](policy-configuration-service-provider.md) |
+Added the following new policies for Windows 10, version 1709:
+
+- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
+- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
+- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
+- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
+- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
+- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
+- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
+- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
+- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
+- LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
+- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
+- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
+- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
+- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
+- LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
+- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
+- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
+- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
+- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
+- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
+- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
+- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
+
+Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.
+ |
+
+
+
### July 2017
@@ -1313,7 +1389,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- Education/DefaultPrinterName
- Education/PreventAddingNewPrinters
-- Education/PrinterNames
+- Education/PrinterNames
- Security/ClearTPMIfNotReady
- WindowsDefenderSecurityCenter/CompanyName
- WindowsDefenderSecurityCenter/DisableAppBrowserUI
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 7659b059e9..23d468a09d 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/27/2017
+ms.date: 08/04/2017
---
# Policy CSP
@@ -534,7 +534,7 @@ The following diagram shows the Policy configuration service provider in tree fo
CredentialProviders/BlockPicturePassword
-
- CredentialProviders/EnableWindowsAutoPilotResetCredentials
+ CredentialProviders/DisableAutomaticReDeploymentCredentials
@@ -1778,6 +1778,83 @@ The following diagram shows the Policy configuration service provider in tree fo
+### LocalPoliciesSecurityOptions policies
+
+
+ -
+ LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
+
+ -
+ LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
+
+ -
+ LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
+
+ -
+ LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
+
+ -
+ LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
+
+ -
+ LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
+
+ -
+ LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
+
+ -
+ LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
+
+ -
+ LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
+
+ -
+ LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+
+ -
+ LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
+
+ -
+ LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
+
+
+
### Location policies
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 66d1f6d390..4ea0afb98d 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -124,7 +124,7 @@ ADMX Info:
-**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
+**CredentialProviders/DisableAutomaticReDeploymentCredentials**
@@ -150,11 +150,12 @@ ADMX Info:
-Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
+Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
-The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
+The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
-Default value is 0.
+- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
+- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
new file mode 100644
index 0000000000..3ef2f11cab
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -0,0 +1,1024 @@
+---
+title: Policy CSP - LocalPoliciesSecurityOptions
+description: Policy CSP - LocalPoliciesSecurityOptions
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/04/2017
+---
+
+# Policy CSP - LocalPoliciesSecurityOptions
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## LocalPoliciesSecurityOptions policies
+
+
+**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+  3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+
+Valid values:
+- 0 - disabled (users will be able to use Microsoft accounts with Windows)
+- 1 - enabled (users cannot add Microsoft accounts)
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This security setting determines whether the local Administrator account is enabled or disabled.
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances.
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.
+Valid values:
+- 0 - local Administrator account is disabled
+- 1 - local Administrator account is enabled
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+Valid values:
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+Valid values:
+- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive Logon:Display user information when the session is locked
+
+Valid values:
+- 1 - User display name, domain and user names
+- 2 - User display name only
+- 3 - Do not display user information
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive logon: Don't display last signed-in
+
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive logon: Don't display username at sign-in
+
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.
+Valid values:
+- 0 - disabled
+- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.
+Valid values:
+- 0 - disabled
+- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow automatic administrative logon)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow system to be shut down without having to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+Disabled: (Default)
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+- 0 - Disabled: Applications that write data to protected locations fail.
+- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index a301e620e4..213a633652 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -364,26 +364,6 @@ ms.date: 07/14/2017
**TextInput/AllowKoreanExtendedHanja**
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- Mobile Enterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 14181da459..2a91601f05 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -23,26 +23,6 @@ ms.date: 07/14/2017
**WiFi/AllowWiFiHotSpotReporting**
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- Mobile Enterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
@@ -303,8 +283,6 @@ Footnote:
-## Wifi policies supported by Microsoft Surface Hub
-
-- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
+
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 535bc242b7..7662a3bdcb 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -163,26 +163,6 @@ ms.date: 07/14/2017
**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- Mobile Enterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 9c7505d906..2f2bd2b989 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1690,6 +1690,9 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+ > [!NOTE]
+ > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
+
-or-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 687ad42976..43804a9a80 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -72,6 +72,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
+
>[!TIP]
>A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 9881348c83..4c6db249d6 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -14,19 +14,6 @@
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -218,9 +205,6 @@
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
-### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
-#### [Get started with Update Compliance](update/update-compliance-get-started.md)
-#### [Use Update Compliance](update/update-compliance-using.md)
### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index c6d38e7d4d..e5e8d59bf7 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
1. Name: Install - Microsoft NET Framework 3.5.1
- 2. Select the operating system for which roles are to be installed: Windows 8.1
+ 2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
**Important**
@@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except
### Update the deployment share
-After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
+After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
@@ -566,7 +566,7 @@ SkipFinalSummary=YES
The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
- **JoinWorkgroup.** Configures Windows to join a workgroup.
-- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
+- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 937be3b7e3..8681080388 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros
- Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated.
- Schedule monthly user computer scans to view monthly active computer and usage information.
->When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.
+>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
### Distribute the deployment script at scale
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 4eead9a058..4954192798 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -12,7 +12,11 @@ author: greg-lindsay
# Configure VDA for Windows 10 Subscription Activation
+<<<<<<< HEAD
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
+=======
+This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
+>>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
## Requirements
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index ddd4bb48f1..6895c3208e 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -94,6 +94,7 @@
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
+### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index 68cc89fe05..af3bab22cc 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: high
+localizationpriority: high
author: brianlic-msft
---
@@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen
`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
+
+### When should an additional method of authentication be considered?
+
+New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
+For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
+
### If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
@@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
+### Can I use BitLocker with virtual machines (VMs)?
+
+Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+
+
## More information
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
new file mode 100644
index 0000000000..e8a02af1fd
--- /dev/null
+++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
@@ -0,0 +1,185 @@
+---
+title: BitLocker Management Recommendations for Enterprises (Windows 10)
+description: This topic explains recommendations for managing BitLocker.
+ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# BitLocker Management Recommendations for Enterprises
+
+This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices.
+
+## Forward-looking recommendations for managing BitLocker
+
+The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
+
+Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD).
+
+Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
+
+ - [Domain-joined computers](#dom_join)
+
+ - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
+
+ - [Workplace-joined PCs and Phones](#work_join)
+
+ - [Servers](#servers)
+
+ - [Scripts](#powershell)
+
+
+
+## BitLocker management at a glance
+
+| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
+|---|---|----|---|---|
+|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
+|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
+
+
+*PC hardware that supports InstantGo or HSTI
+
+
+
+
+
+## Recommendations for domain-joined computers
+
+Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption).
+
+Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
+
+For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management[1] (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
+
+- Encrypts device with BitLocker using MBAM
+- Stores BitLocker Recovery keys in MBAM Server
+- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
+- Provides Reporting on Compliance and Recovery key access audit
+
+
+[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
+
+
+
+
+## Recommendations for devices joined to Azure Active Directory
+
+
+
+Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). Device encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker device encryption is enabled on the device. Compliance with device encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
+
+For hardware that is compliant with InstantGo and HSTI, when using either of these features, device encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+
+
+
+## Workplace-joined PCs and phones
+
+For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker device encryption is managed over MDM, and similarly for Azure AD domain join.
+
+
+
+## Recommendations for servers
+
+Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
+
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
+
+If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+
+ Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+
+ For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
+
+
+
+## PowerShell examples
+
+For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
+
+*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+```
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+```
+For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
+
+*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
+```
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+ ```
+
+Subsequently, you can use PowerShell to enable BitLocker.
+
+*Example: Use PowerShell to enable BitLocker with a TPM protector*
+ ```
+PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
+ ```
+*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+ ```
+PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+
+PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+ ```
+
+
+
+## Related Articles
+
+[Bitlocker: FAQs](bitlocker-frequently-asked-questions.md)
+
+[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
+
+[Overview of BitLocker and automatic encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption)
+
+[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
+
+[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
+
+[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx)
+
+[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
+*(Overview)*
+
+[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
+*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
+
+[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+
+
+
+**Windows Server setup tools**
+
+[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
+
+[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
+
+[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)*
+
+[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
+
+
+
+
+**Powershell**
+
+[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell)
+
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
\ No newline at end of file
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index b87d0626c3..6030e8a054 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,13 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+ | [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+
+
+
## July 2017
|New or changed topic |Description |
|---------------------|------------|
| 
+ +
+ ++