@@ -287,26 +218,26 @@ If there are any problems with the Windows 10 Pro Education license or the acti
### Troubleshoot the user experience
-In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows:
+In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows:
-- The existing operating system (Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703) is not activated.
-- The Windows 10 Pro Education switch has lapsed or has been removed.
+- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated.
+- The Windows 10 Pro Education change has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
-**Figure 13** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education switch is active.
+**Figure 10** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education change is active.
### Review requirements on devices
-Devices must be running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703 and be Azure AD joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure AD joined**
@@ -329,34 +260,34 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or Windows 10 S,
A popup window will display the Windows 10 version number and detailed OS build information.
> [!NOTE]
- > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
+ > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be changed to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
### Roll back Windows 10 Pro Education to Windows 10 Pro
-If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by:
+If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, you can do this by:
-- Logging into Microsoft Store for Education page and turning off the automatic switch.
-- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators.
+- Logging into Microsoft Store for Education page and turning off the automatic change.
+- Selecting the link to turn off the automatic change from the notification email sent to all global administrators.
-Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a switch was enabled and then turned off will never see their device change from Windows 10 Pro.
+Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
> [!NOTE]
-> Devices that were switched from Windows 10 S to Windows 10 Pro Education cannot roll back to Windows 10 S.
+> Devices that were changed from mode to Windows 10 Pro Education cannot roll back to Windows 10 Pro Education S mode.
**To roll back Windows 10 Pro Education to Windows 10 Pro**
-1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
+1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change.
2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
- **Figure 15** - Revert to Windows 10 Pro
+ **Figure 12** - Revert to Windows 10 Pro
-4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**.
+4. You will be asked if you're sure that you want to turn off automatic changees to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
- All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic switches again, you can do this by selecting **Switch to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education.
+ All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changees again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education.
## Preparing for deployment of Windows 10 Pro Education licenses
@@ -365,9 +296,9 @@ If you have on-premises Active Directory Domain Services (AD DS) domains, users
You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-Figure 11 illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+(Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-**Figure 16** - On-premises AD DS integrated with Azure AD
+**Figure 13** - On-premises AD DS integrated with Azure AD
@@ -377,6 +308,6 @@ For more information about integrating on-premises AD DS domains with Azure AD,
## Related topics
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.
+If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.
Data type is string. Supported operations are Get, Add, Delete, and Replace.
Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.
-Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
-
@@ -1310,7 +1301,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- ShellLauncher
- StatusConfiguration
Updated the AssigneAccessConfiguration schema.
+Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.
Added a new CSP in Windows 10, version 1803.
Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
+Added the DDF download of Windows 10, version 1803 configuration service providers.
+Added a new CSP in Windows 10, version 1803.
Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
+Added the DDF download of Windows 10, version 1803 configuration service providers.
+Added the following new policies for Windows 10, version 1803:
-
@@ -1785,7 +1792,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- Display/EnablePerProcessDpi
- Display/EnablePerProcessDpiForApps
- Experience/AllowWindowsSpotlightOnSettings -
- TextInput/AllowHardwareKeyboardTextSuggestions
- TextInput/ForceTouchKeyboardDockedState
- TextInput/TouchKeyboardDictationButtonAvailability
- TextInput/TouchKeyboardEmojiButtonAvailability @@ -1808,7 +1814,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- ShellLauncher
- StatusConfiguration
Updated the AssigneAccessConfiguration schema.
+Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.
+Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.
Changed the names of the following policies:
- Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index f031f91a4b..5386096239 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -6,13 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 01/26/2018 +ms.date: 04/25/2018 --- # Office CSP -The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx). +The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). This CSP was added in Windows 10, version 1703. For additional information, see [Office DDF](office-ddf.md). diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f3472fae60..71f83755e0 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2054,9 +2054,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers -
- - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession -
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -4388,7 +4385,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) - [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) - [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession) - [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) - [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) - [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) diff --git a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md index 7cee27e382..32daf8fcb7 100644 --- a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md +++ b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - AccountPoliciesAccountLockoutPolicy -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 02d3d2895e..c203a66f41 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - ApplicationDefaults -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 082ad6881d..e96fc68705 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - ApplicationManagement -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 386d22dfe2..f37e5b4640 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - AppRuntime -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 0205e259b0..762903da37 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -11,9 +11,6 @@ ms.date: 04/06/2018 # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 514ff83491..ab3d44948e 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - Browser -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index e07d5f9e02..bfd371ead5 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -11,9 +11,6 @@ ms.date: 03/14/2018 # Policy CSP - Connectivity -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index b606419501..b777062185 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - ControlPolicyConflict -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
@@ -65,15 +62,35 @@ ms.date: 03/12/2018 -Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device. +Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. + +> [!Note] +> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +The following list shows the supported values: + +- 0 (default) +- 1 - The MDM policy is used and the GP policy is blocked. + The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: -- GP settings that correspond to MDM applied settings are not conflicting -- The current Policy Manager policies are refreshed from what MDM has set -- Any values set by scripts/user outside of GP that conflict with MDM are removed +- GP settings that correspond to MDM applied settings are not conflicting +- The current Policy Manager policies are refreshed from what MDM has set +- Any values set by scripts/user outside of GP that conflict with MDM are removed + +The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP: + +- \
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 76c96ac41d..a0edded74d 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -936,7 +936,7 @@ The following list shows the supported values:
33333333@@ -509,7 +506,7 @@ If you set this policy, the GroupID policy will be ignored. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. -For option 4 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. +For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 0a7c86e017..98974c6cb0 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - DeviceLock -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 0cf8a9740d..3ff482c3d6 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - Display -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 38e01b4868..528d2b70fb 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - Experience -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index df185f9924..91fe973551 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - FileExplorer -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index f662a910d4..cfe6ce478c 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -11,8 +11,6 @@ ms.date: 04/11/2018 # Policy CSP - KioskBrowser -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 15c57e928a..13e2299224 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - LanmanWorkstation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 34c61a2c31..1daf3d8ae0 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -11,9 +11,6 @@ ms.date: 04/06/2018 # Policy CSP - LocalPoliciesSecurityOptions -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
@@ -90,9 +87,6 @@ ms.date: 04/06/2018
- -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 4 |
- 4 |
- 4 |
- 4 |
- |
- |
-
- - - -Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - -GP Info: -- GP English name: *Microsoft network server: Amount of idle time required before suspending session* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
- **LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways** diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index bed4009f6a..f20149e9f0 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - MSSecurityGuide -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 85f1361fe8..c6727fa700 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - MSSLegacy -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index e5838dc453..51caa36965 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - Notifications -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8e59202bfb..e18e0e6de6 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -11,9 +11,6 @@ ms.date: 03/15/2018 # Policy CSP - RestrictedGroups -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 12b9c8386e..aea6133ba1 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - Search -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index b03abc2582..1549210b82 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - Security -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 5773e32200..1c445ea4d5 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - Settings -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 6c6ed3c4c9..5aa3adb08a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - System -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 1efa6419f1..800090eaf1 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - SystemServices -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 4ac73d9f96..7a05f84ffc 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - TaskScheduler -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 5f1af3e3c0..affd6a36ac 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - TextInput -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
@@ -114,10 +111,10 @@ ms.date: 04/16/2018
4444diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 3584468818..e8f878d742 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - UserRights -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 4f33bd0bdf..0dfb797f32 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - WindowsConnectionManager -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index c94d1e9dd5..62f0031a6e 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -11,9 +11,6 @@ ms.date: 03/12/2018 # Policy CSP - WindowsDefenderSecurityCenter -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index dca0467136..3ca5b0ea63 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -11,9 +11,6 @@ ms.date: 04/16/2018 # Policy CSP - WindowsPowerShell -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 0b6035ae0a..89b18ee42a 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/12/2018 +ms.date: 04/26/2018 --- # Policy DDF file @@ -18,6 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can download the DDF files from the links below: +- [Download the Policy DDF file for Windows 10, version 1803](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index b7fa5a8362..1f5811644c 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -12,8 +12,6 @@ ms.date: 03/06/2018 # RootCATrustedCertificates CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates. diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index 03c352d150..e7109c768a 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -12,8 +12,6 @@ ms.date: 03/07/2018 # RootCATrustedCertificates DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index d2a2fc6fef..72f8871f90 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -12,9 +12,6 @@ ms.date: 02/01/2018 # UEFI CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803. The following diagram shows the UEFI CSP in tree format. diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index 5f8e6403eb..8ea53d146e 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -12,10 +12,6 @@ ms.date: 02/01/2018 # UEFI DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md new file mode 100644 index 0000000000..c1f35268c3 --- /dev/null +++ b/windows/client-management/windows-version-search.md @@ -0,0 +1,48 @@ +--- +title: What version of Windows am I running? +description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or Semi-Annual Channel. +keywords: Long-Term Servicing Channel, LTSC, LTSB, Semi-Annual Channel, SAC, Windows, version, OS Build +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: kaushika-msft +ms.author: MikeBlodge +ms.date: 04/30/2018 +--- + +# What version of Windows am I running? + +To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. + +## System Properties +Click **Start** > **Settings** > **Settings** > click **About** from the bottom of the left-hand menu + +You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: + + + +## Using Keyword Search +You can simply type the following in the search bar and press **ENTER** to see version details for your device. + +**“winver”** + + + +**“msinfo”** or **"msinfo32"** to open **System Information**: + + + +## Using Command Prompt or PowerShell +At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** + + + +At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: + + + +## What does it all mean? + +The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices. + +In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 94d5785c9f..775abee2b1 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,10 +1,11 @@ # [Configure Windows 10](index.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) -## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) +## [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) +## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) ## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) ## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) -## [Windows 10, version 1709 diagnostic data for the Full level](windows-diagnostic-data.md) +## [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ## [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) @@ -17,7 +18,7 @@ ### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) #### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md) -#### [Multi-app kiosk XML reference](multi-app-kiosk-xml.md) +### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md) ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) @@ -72,6 +73,7 @@ ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md) ### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) ### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) +#### [AccountManagement](wcd/wcd-accountmanagement.md) #### [Accounts](wcd/wcd-accounts.md) #### [ADMXIngestion](wcd/wcd-admxingestion.md) #### [ApplicationManagement](wcd/wcd-applicationmanagement.md) @@ -113,7 +115,8 @@ #### [OtherAssets](wcd/wcd-otherassets.md) #### [Personalization](wcd/wcd-personalization.md) #### [Policies](wcd/wcd-policies.md) -#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md) +#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md) +#### [RcsPresence](wcd/wcd-rcspresence.md) #### [SharedPC](wcd/wcd-sharedpc.md) #### [Shell](wcd/wcd-shell.md) #### [SMISettings](wcd/wcd-smisettings.md) diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md new file mode 100644 index 0000000000..06874ee41a --- /dev/null +++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -0,0 +1,4741 @@ +--- +description: Learn more about the Windows diagnostic data that is gathered at the basic level. +title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) +keywords: privacy, diagnostic data +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: eross-msft +ms.author: lizross +ms.date: 03/13/2018 +--- + + +# Windows 10, version 1709 basic level Windows diagnostic events and fields + + + **Applies to** + +- Windows 10, version 1709 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) + + + +# Common data extensions + +### Common Data Extensions.App + + + +The following fields are available: + +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **userId** The userID as known by the application. +- **env** The environment from which the event was logged. +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. + + +### Common Data Extensions.CS + + + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.CUET + + + +The following fields are available: + +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **op** Represents the ETW Op Code. +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event. +- **bseq** Upload buffer sequence number in the format \
REG_DWORD: 0| -| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
REG_DWORD: 0 | -| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 | -| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
REG_DWORD: 0 | -| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 | +| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowCortana
Value: 0| +| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: AllowSearchToUseLocation
Value: 0 | +| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: DisableWebSearch
Value: 1 | +| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0 | +| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchPrivacy
Value: 3 | In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. @@ -319,14 +328,14 @@ After that, configure the following: -or - -- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** and set it to 0 (zero). +- Create a new REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to 0 (zero). ### 4. Device metadata retrieval To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. -You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). +You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). ### 5. Find My Device @@ -356,7 +365,7 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: - **true**. Font streaming is enabled. -If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. +If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1. > [!NOTE] > After you apply this policy, you must restart the device for it to take effect. @@ -389,7 +398,7 @@ To turn off Insider Preview builds for Windows 10: -or - -- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero) +- Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero) -or- @@ -418,8 +427,8 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled| -| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
Default: Enabled| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| | Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled | @@ -427,11 +436,11 @@ Alternatively, you could use the registry to set the Group Policies. | Policy | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
REG_DWORD: 0| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
REG_DWORD: 0| -| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** | -| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 | -| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9
REG_DWORD: 0 | +| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites
REG_DWORD: Enabled
Value: 0| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
Value: 0| +| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AutoComplete
REG_SZ: AutoSuggest
Value: **No** | +| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
Value: 1 | +| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
Value: 0 | There are three more Group Policy objects that are used by Internet Explorer: @@ -445,9 +454,9 @@ You can also use registry entries to set these Group Policies. | Policy | Registry path | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation!MSCompatibilityMode
REG_DWORD: 0| -| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0| -| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
REG_DWORD:0 | +| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
REG_DWORD: MSCompatibilityMode
Value: 0| +| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead
REG_DWORD: Enabled
Value: 0| +| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds
REG_DWORD: BackgroundSyncStatus
Value: 0| To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**. @@ -477,7 +486,7 @@ To turn off Live Tiles: -or- -- Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. @@ -501,7 +510,7 @@ To turn off the Windows Mail app: -or- -- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). ### 11. Microsoft Account @@ -511,7 +520,7 @@ To prevent communication to the Microsoft Account cloud authentication service. -or- -- Create a REG\_DWORD registry setting called **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System!NoConnectedUser**, with a value of 3. +- Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3. To disable the Microsoft Account Sign-In Assistant: - Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. @@ -530,11 +539,11 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library.
Default: Not configured | +| Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library.
Default: Disabled | | Configure Autofill | Choose whether employees can use autofill on websites.
Default: Enabled | | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | -| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled | +| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
Default: Enabled | | Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled | | Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **\
Default: Disabled | | Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | | Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | | Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | -| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled | +| Turn off Address Bar search suggestions | Choose whether the Address Bar shows search suggestions.
Default: Enabled | | Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | | Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | | Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | @@ -557,14 +567,15 @@ Alternatively, you can configure the Microsoft Group Policies using the followin | Policy | Registry path | | - | - | -| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary!AllowConfigurationUpdateForBooksLibrary
REG_DWORD: **0** | -| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **no** | -| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 | -| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** | -| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal
REG_DWORD: 0| -| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
REG_DWORD: 0 | -| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
REG_DWORD: 0 | -| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0| +| Allow Address Bar drop-down list suggestions | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: ShowOneBox
Value: 0| +| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary
REG_DWORD name: AllowConfigurationUpdateForBooksLibrary
Value: 0| +| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: Use FormSuggest
Value : **no** | +| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: 1 | +| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **no** | +| Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: 0| +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: 0 | +| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: AllowWebContentOnNewTabPage
Value: 0 | +| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: ProvisionedHomePages
Value: 0| ### 12.2 Microsoft Edge MDM policies @@ -577,7 +588,7 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http | Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | | Browser/AllowMicrosoftCompatbilityList | Specify the Microsoft compatibility list in Microsoft Edge.
Default: Enabled | | Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | -| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | +| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the Address Bar shows search suggestions..
Default: Allowed | | Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | | Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10.
Default: blank | @@ -601,7 +612,7 @@ You can turn off NCSI by doing one of the following: -or- -- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). ### 14. Offline maps @@ -611,7 +622,7 @@ You can turn off the ability to download and update offline maps. -or- -- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). -and- @@ -619,7 +630,7 @@ You can turn off the ability to download and update offline maps. -or- -- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). ### 15. OneDrive @@ -629,11 +640,11 @@ To turn off OneDrive in your organization: -or- -- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). -and- -- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive\\PreventNetworkTrafficPreUserSignIn**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). ### 16. Preinstalled apps @@ -816,11 +827,11 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba -or- -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Let websites provide locally relevant content by accessing my language list**: @@ -828,7 +839,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang -or- -- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let Windows track app launches to improve Start and search results**: @@ -836,7 +847,7 @@ To turn off **Let Windows track app launches to improve Start and search results -or- -- Create a REG_DWORD registry setting called **Start_TrackProgs** with value of 0 (zero) in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** +- Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** with value of 0 (zero). #### Windows Server 2016 and Windows 10, version 1607 and earlier options @@ -853,11 +864,11 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin -or- -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**: @@ -885,11 +896,11 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros -or- -- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero). -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: @@ -914,7 +925,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang -or- -- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let apps on my other devices open apps and continue experiences on this devices**: @@ -926,13 +937,12 @@ To turn off **Let apps on my other devices open apps and continue experiences on -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - Turn off the feature in the UI. - ### 17.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -947,7 +957,7 @@ To turn off **Location for this device**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessLocation**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -or- @@ -980,7 +990,7 @@ To turn off **Location**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors!DisableLocation**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). -or- @@ -1008,7 +1018,7 @@ To turn off **Let apps use my camera**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCamera**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). -or- @@ -1057,7 +1067,7 @@ To turn off **Let apps use my microphone**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) To turn off **Choose apps that can use your microphone**: @@ -1071,10 +1081,18 @@ To turn off notifications network usage: - Set to **Enabled**. - -or- + -or- -- Create a REG\_DWORD registry setting in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one) +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) + -or- + + +- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: + + - **0**. WNS notifications allowed + - **1**. No WNS notifications allowed + In the **Notifications** area, you can also choose which apps have access to notifications. To turn off **Let apps access my notifications**: @@ -1097,7 +1115,7 @@ To turn off **Let apps access my notifications**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) ### 17.6 Speech, inking, & typing @@ -1116,15 +1134,15 @@ To turn off the functionality: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization!RestrictImplicitInkCollection**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). -or- -- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). -and- -- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero). If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models: @@ -1139,7 +1157,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/ -or- -- Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero). ### 17.7 Account info @@ -1165,7 +1183,7 @@ To turn off **Let apps access my name, picture, and other account info**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessAccountInfo**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose the apps that can access your account info**: @@ -1193,6 +1211,10 @@ To turn off **Choose apps that can access contacts**: - **1**. Force allow - **2**. Force deny + -or- + +- Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). + ### 17.9 Calendar In the **Calendar** area, you can choose which apps have access to an employee's calendar. @@ -1217,7 +1239,7 @@ To turn off **Let apps access my calendar**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can access calendar**: @@ -1247,7 +1269,7 @@ To turn off **Let apps access my call history**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.11 Email @@ -1273,7 +1295,7 @@ To turn off **Let apps access and send email**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.12 Messaging @@ -1299,7 +1321,7 @@ To turn off **Let apps read or send messages (text or MMS)**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can read or send messages**: @@ -1329,7 +1351,7 @@ To turn off **Let apps make phone calls**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessPhone**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can make phone calls**: @@ -1360,7 +1382,7 @@ To turn off **Let apps control radios**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can control radios**: @@ -1389,7 +1411,7 @@ To turn off **Let apps automatically share and sync info with wireless devices t -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: @@ -1420,7 +1442,7 @@ To change how frequently **Windows should ask for my feedback**: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!DoNotShowFeedbackNotifications**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). -or- @@ -1441,7 +1463,6 @@ To change how frequently **Windows should ask for my feedback**: | Once a week | 6048000000000 | 1 | - To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: - Click either the **Basic** or **Full** options. @@ -1452,7 +1473,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0-3, as appropriate for your deployment (see below for the values for each level). +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). > [!NOTE] > If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition. @@ -1540,7 +1561,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.19 Tasks @@ -1593,21 +1614,21 @@ For Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- - -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). - -or- - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. + -or- + +- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). + For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform!NoGenTicket**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. @@ -1631,7 +1652,7 @@ You can control if your settings are synchronized: -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSync**, with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride**, with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). -or- @@ -1647,7 +1668,7 @@ You can control if your settings are synchronized: To turn off Messaging cloud sync: -- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). ### 21. Teredo @@ -1660,7 +1681,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. -or- -- Create a new REG\_SZ registry setting called in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition!Teredo_State**, with a value of **Disabled**. +- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. -or- @@ -1680,7 +1701,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha -or- -- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). +- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). -or- @@ -1700,7 +1721,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. -or- -- Delete the registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!DefinitionUpdateFileSharesSources**. +- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. -or- @@ -1714,8 +1735,6 @@ You can disconnect from the Microsoft Antimalware Protection Service. From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** - - You can stop sending file samples back to Microsoft. - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. @@ -1746,7 +1765,7 @@ You can stop downloading definition updates: -or- -- Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!FallbackOrder**, with a value of **FileShares**. +- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. For Windows 10 only, you can stop Enhanced Notifications: @@ -1785,7 +1804,7 @@ If you're running Windows 10, version 1607 or later, you only need to enable the -or- -- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). +- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). If you're not running Windows 10, version 1607 or later, you can use the other options in this section. @@ -1794,7 +1813,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. > [!NOTE] - > In Windows 10, version 1507 and Windows 10, version 1511, this setting was called **Show me tips, tricks, and more on the lock screen**. + > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. - **Personalization** > **Start** > **Occasionally show suggestions in Start**. @@ -1810,20 +1829,20 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). + > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. -or- - - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableSoftLanding**, with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. -or- - - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md). @@ -1838,13 +1857,13 @@ On Windows Server 2016, this will block Microsoft Store calls from Universal Win -or- - - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!DisableStoreApps**, with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. -or- - - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). + - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). ### 26.1 Apps for websites @@ -1880,7 +1899,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| -You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred). +You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting named **DODownloadMode** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** with a value of 100 (one hundred). ### 27.3 Delivery Optimization MDM policies @@ -1915,15 +1934,15 @@ For more info about Delivery Optimization in general, see [Windows Update Delive You can turn off Windows Update by setting the following registry entries: -- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. -and- -- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. -and- -- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. +- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. -or- @@ -1940,7 +1959,7 @@ You can turn off Windows Update by setting the following registry entries: You can turn off automatic updates by doing one of the following. This is not recommended. -- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. +- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. -or- diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 9cb8223eed..068422a836 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: mobile author: eross-msft ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 05/02/2018 --- # Manage Wi-Fi Sense in your company @@ -18,7 +18,8 @@ ms.date: 07/27/2017 - Windows 10 - Windows 10 Mobile ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>[!IMPORTANT] +>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details. Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When you’re in range of one of these Wi-Fi hotspots, you automatically get connected to it. diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index fc11afb5d6..68d77e21b8 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -16,6 +16,7 @@ ms.date: 07/27/2017 - Windows 10 Mobile + Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md deleted file mode 100644 index 8babcdefec..0000000000 --- a/windows/configuration/multi-app-kiosk-xml.md +++ /dev/null @@ -1,175 +0,0 @@ ---- -title: Multi-app kiosk XML reference (Windows 10) -description: XML and XSD for multi-app kiosk device configuration. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -keywords: ["lockdown", "app restrictions", "applocker"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security -author: jdeckerms -ms.localizationpriority: medium -ms.date: 08/14/2017 -ms.author: jdecker ---- - -# Multi-app kiosk XML reference - - -**Applies to** - -- Windows 10 - -## Full XML sample - -```xml - -
| **Step** | **Description** | **Desktopwizard** | **Mobilewizard** | **Kioskwizard** |
| Set up device | Assign device name,enter product key to upgrade Windows,configure shared used,remove pre-installed software |  | (Only device name and upgrade key) |  |
| Set up network | Connect to a Wi-Fi network |  |  |  |
| Account management | Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account |  |  |  |
| Bulk Enrollment in Azure AD | Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). |  |  |  |
| Add applications | Install applications using the provisioning package. |  |  |  |
| Add certificates | Include a certificate file in the provisioning package. |  |  |  |
| Configure kiosk account and app | Create local account to run the kiosk mode app,specify the app to run in kiosk mode |  |  |  |
| Configure kiosk common settings | Set tablet mode,configure welcome and shutdown screens,turn off timeout settings |  |  |  |
| **Step** | **Description** | **Desktop wizard** | **Mobile wizard** | **Kiosk wizard** | **HoloLens wizard** |
| Set up device | Assign device name,enter product key to upgrade Windows,configure shared used,remove pre-installed software |  | (Only device name and upgrade key) |  |  |
| Set up network | Connect to a Wi-Fi network |  |  |  |  |
| Account management | Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account |  |  |  |  |
| Bulk Enrollment in Azure AD | Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). |  |  |  |  |
| Add applications | Install applications using the provisioning package. |  |  |  |  |
| Add certificates | Include a certificate file in the provisioning package. |  |  |  |  |
| Configure kiosk account and app | Create local account to run the kiosk mode app,specify the app to run in kiosk mode |  |  |  |  |
| Configure kiosk common settings | Set tablet mode,configure welcome and shutdown screens,turn off timeout settings |  |  |  |  |
| Developer Setup | Enable Developer Mode. |  |  |  |  |
| Topic | Description |
| [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) | Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. | +
| [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) | Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. |
| [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) | This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
| [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | This topic provides information about support for upgrading from one edition of Windows 10 to another. |
| [Windows 10 volume license media](windows-10-media.md) | This topic provides information about media available in the Microsoft Volume Licensing Service Center. | diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md index 72286c9cd2..7c0ba92950 100644 --- a/windows/deployment/planning/TOC.md +++ b/windows/deployment/planning/TOC.md @@ -3,8 +3,9 @@ ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) ## [Windows 10 compatibility](windows-10-compatibility.md) ## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) -## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md) +## [Windows 10, version 1803 - Features removed or planned for replacement](windows-10-1803-removed-features.md) ## [Fall Creators update (version 1709) - deprecated features](windows-10-fall-creators-deprecation.md) +## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md) ## [Windows To Go: feature overview](windows-to-go-overview.md) ### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md new file mode 100644 index 0000000000..87631ec626 --- /dev/null +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -0,0 +1,53 @@ +--- +title: Windows 10, version 1803 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1803, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: high +ms.sitesec: library +author: lizap +ms.author: elizapo +ms.date: 05/03/2018 +--- +# Features removed or planned for replacement starting with Windows 10, version 1803 + +> Applies to: Windows 10, version 1803 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1803 (also called Windows 10 April 2018 Update). + +> [!TIP] +> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. +> - Have questions about other releases? Check out the information for [Windows 10, version 1703](windows-10-creators-update-deprecation.md), and [Windows 10, version 1709](windows-10-fall-creators-deprecation.md). + +**The list is subject to change and might not include every affected feature or functionality.** + +## Features we removed in this release + +We've removed the following features and functionalities from the installed product image in Windows 10, version 1803. Applications or code that depend on these features won't function in this release unless you use an alternate method. + +|Feature |Instead you can use...| +|-----------|-------------------- +|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/en-us/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| +|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| +|Language control in the Control Panel| Use the Settings app to change your language settings.| +|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. -Result codes can be matched to the type of error encountered. To match a result code to an error: +The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: + +| Result code | Message | Description | +| --- | --- | --- | +| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | +| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | +| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | +| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | +| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | + +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procudures](resolution-procedures.md#modern-setup-errors) topic in this article. + +Other result codes can be matched to the specific type of error encountered. To match a result code to an error: 1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
**8** = Win32 error code (ex: 0x**8**0070070) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 5594afcec8..d3f4fb87fd 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -2,17 +2,52 @@ title: Upgrade Readiness - Additional insights description: Explains additional features of Upgrade Readiness. ms.prod: w10 -author: greg-lindsay -ms.date: 10/26/2017 +author: jaimeo +ms.date: 04/03/2018 --- # Upgrade Readiness - Additional insights This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: +- [Spectre and Meltdown protections](#spectre-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. - [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. - [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. +## Spectre and Meltdown protection status +Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. + +Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: +- Verify that you are running a supported antivirus application. +- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. +- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). + +Upgrade Readiness reports on status of your devices in these three areas. + + + +>[!IMPORTANT] +>To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) + +### Anti-virus status blade +This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. + + + +### Security update status blade +This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. + + + +>[!IMPORTANT] +>If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. + +### Firmware update status blade +This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. + + + + ## Site discovery The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. @@ -20,7 +55,7 @@ The site discovery feature in Upgrade Readiness provides an inventory of web sit > [!NOTE] > Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. -[In order to use site discovery, a separate opt-in is required; see Enrolling] +In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). ### Review most active sites @@ -52,4 +87,4 @@ Office add-ins provides a list of the Microsoft Office add-ins in your environme ## Related topics -[Upgrade Readiness release notes](upgrade-readiness-release-notes.md) +[Upgrade Readiness release notes](upgrade-readiness-release-notes.md) \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 7b45c2ed1b..5ead8a22d0 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -203,11 +203,7 @@ The deployment script displays the following exit codes to let you know if it wa
| **Home > Pro for Workstations** |  |  |  |  |  |  | | **Home > Pro Education** |  |  |  |  |  |  | | **Home > Education** |  |  |  |  |  |  | -| **S > Pro** | 
(1709) | 
(1709) |  |  | 
(1709) | 
(1709) | -| **S > Pro for Workstations** | 
(1709) | 
(1709) |  |  | 
(1709) | 
(1709) | -| **S > Pro Education** | 
(1709) | 
(1709) |  | 
(1709 - MSfB) | 
(1709) |  | -| **S > Education** |  |  |  | 
(MSfB) |  |  | -| **S > Enterprise** | 
(1709) | 
(1709) |  | 
(1703 - PC)
(1709 - MSfB) | 
(1709) |  | | **Pro > Pro for Workstations** |  |  |  | 
(MSfB) |  |  | | **Pro > Pro Education** |  |  |  | 
(MSfB) |  |  | | **Pro > Education** |  |  |  | 
(MSfB) |  |  | @@ -65,9 +60,10 @@ X = unsupported
| **Mobile > Mobile Enterprise** |  | |  |  |  |  | > [!NOTE] -> Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. +> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) +> - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. >
->
Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. +> - Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. ## Upgrade using mobile device management (MDM) - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 1fb488e7ea..a6feddf84d 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: activation author: jdeckerms ms.localizationpriority: high -ms.date: 07/27/2017 +ms.date: 04/25/2018 --- # Install VAMT @@ -19,23 +19,20 @@ This topic describes how to install the Volume Activation Management Tool (VAMT) You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10. -**Important** -VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. +>[!IMPORTANT] +>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. -**Note** -The VAMT Microsoft Management Console snap-in ships as an x86 package. +>[!NOTE] +>The VAMT Microsoft Management Console snap-in ships as an x86 package. -After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can download a free copy of Microsoft SQL Server Express and create a new database into which you can import the CIL. To install SQL Server Express: +To install SQL Server Express: 1. Install the Windows ADK. -2. Ensure that **Volume Activation Management Tool** and **Microsoft® SQL Server® 2012 Express** are selected to be installed. +2. Ensure that **Volume Activation Management Tool** is selected to be installed. 3. Click **Install**. ## Select a Database -**Using a SQL database installed during ADK setup** -If SQL Server 2012 Express was installed during ADK setup, the default database name will be **ADK**.By default, VAMT is configure to use a SQL database that is installed on the local machine during ADK setup and displays the server name as **.\\ADK**. If the SQL database was installed on another machine, you must configure the database to allow remote connections and you must provide the corresponding server name. If a new VAMT database needs to be created, provide a name for the new database. - -**Using a SQL database installed outside of ADK setup** +VAMT requires a SQL database. After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can [download a free copy of Microsoft SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) and create a new database into which you can import the CIL. You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database. diff --git a/windows/deployment/windows-10-architecture-posters.md b/windows/deployment/windows-10-architecture-posters.md index 9e30d5461e..fe08fd1129 100644 --- a/windows/deployment/windows-10-architecture-posters.md +++ b/windows/deployment/windows-10-architecture-posters.md @@ -17,7 +17,7 @@ You can download the following posters for architectural information about deplo Learn about the options and steps for a new installation of Windows 10. - [Deploy Windows 10 - In-place upgrade](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf) Learn about the steps to upgrade from a previous version of Windows. -- [Deploy Windows 10 - Windows AutoPilot](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf) +- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutopilot.pdf) Learn how you can set up and pre-configure Windows 10 devices. - [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf) Learn how to keep Windows up to date. diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 2dced411ff..d12e6d29d6 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -31,12 +31,12 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
->Except for clean install scenarios such as traditional bare metal and Windows AutoPilot, all the methods described can optionally migrate apps and settings to the new OS. +>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. ## Modern deployment methods Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. -### Windows AutoPilot +### Windows Autopilot -Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. +Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. -For more information about Windows AutoPilot, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows AutoPilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). +For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). ### In-place upgrade diff --git a/windows/deployment/windows-10-deployment-workflow.md b/windows/deployment/windows-10-deployment-workflow.md deleted file mode 100644 index 5ac7695ecb..0000000000 --- a/windows/deployment/windows-10-deployment-workflow.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Windows 10 deployment workflow -description: Scenarios, methods, tools, and requirements for deploying Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: high -ms.pagetype: deploy -ms.sitesec: library -author: greg-lindsay -ms.date: 12/4/2017 ---- - -# Windows 10 deployment workflow - diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index de3ae148a3..e455be3daf 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -23,6 +23,7 @@ With Windows 10 version 1703 (also known as the Creator’s Update), both Window Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis). See the following topics in this article: +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. - [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. - [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model. - [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing. @@ -31,6 +32,14 @@ See the following topics in this article: For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). +## Inherited Activation + +Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. + +When a user with Windows 10 E3 or E5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. + +To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. + ## The evolution of deployment >The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/). diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 4ac1cc5a28..108816df6c 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -730,7 +730,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Ignore any warnings that are displayed. The computer will automatically reboot upon completion. -9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert: +9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
new file mode 100644
index 0000000000..9a4f995859
--- /dev/null
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -0,0 +1,67 @@
+---
+title: Windows 10 Pro in S mode
+description: Overview of Windows 10 Pro in S mode, switching options, and system requirements
+keywords: Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+ms.date: 04/30/2018
+author: Mikeblodge
+---
+
+# Windows 10 Pro/Enterprise in S mode
+
+S mode is an enhanced security mode of Windows 10. Windows 10 Pro and Enterprise in S mode powers affordable, cloud-ready devices that are simple, secure, and efficient. Users can get started quickly, thanks to self-service deployment and a familiar Windows experience. Low-price S mode devices offer tailored solutions for kiosks, digital signs, and task work. If your device is running Windows 10, version 1709, or Windows 10, version 1803, you can switch from Windows 10 in S mode to Windows 10 Pro.
+
+## Benefits of Windows 10 Pro in S mode:
+
+- **Microsoft-verified security** - It reduces risk of malware and exploitations because only Microsoft-verified apps can be installed including Windows Defender Antivirus.
+- **Performance that lasts** - Provides all-day battery life to keep workers on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
+- **Streamlined for speed** - Offers faster log-in times with Windows Hello. Plus, workers get all the exclusive Windows innovations including Cortana and Windows Ink.
+
+| |Home |S mode |Pro/Pro Education |Enterprise/Education |
+|---------|:---:|:---:|:---:|:---:|
+|Start Menu/Hello/Cortana/
Windows Ink/Microsoft Edge | X | X | X | X |
+|Store apps (including Windows
desktop bridge apps) | X | X | X | X |
+|Windows Update | X | X | X | X |
+|Device Encryption | X | X | X | X |
+|BitLocker | | X | X | X |
+|Windows Update for Business | | X | X | X |
+|Microsoft Store for Education | | X | X | X |
+|Mobile Device Management
and Azure AD join | | X | X | X |
+|Group Policy management and
Active Directory Domain Services | | | X | X |
+|Desktop (Windows 32) Apps | X | | X | X |
+|Change App Defaults
Search/Browser/Photos/etc. | X | | X | X |
+|Credential Guard | | | | X |
+|Device Guard | | | | X |
+
+## Keep Line of Business apps functioning with Desktop Bridge
+Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels.
+
+[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
+
+>[!NOTE]
+>The only way to revert to Windows 10 in S mode is to perform a BMR factory reset. This will allow you to reimage a device.
+
+### Windows 10 in S mode is safe, secure, and fast.
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+
+## How to switch
+If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time.
+
+1. Sign into the Microsoft Store using your Microsoft account.
+2. Search for "S mode"
+3. In the offer, click **Buy**, **Get**, OR **Learn more.**
+You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
+
+> [!IMPORTANT]
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a BMR factory reset.
+
+## Related topics
+
+[FAQs](https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
+[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/en-us/intune/what-is-intune)
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 865fa18cce..3bdaf3e0ba 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -1,8 +1,8 @@
-# [Overview of Windows AutoPilot](windows-10-autopilot.md)
+# [Overview of Windows Autopilot](windows-10-autopilot.md)
-## [The Windows AutoPilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
-## [The Windows AutoPilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-## [The Windows AutoPilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-## [The Windows AutoPilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
-## [Demo the Windows AutoPilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md)
+## [The Windows Autopilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+## [The Windows Autopilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+## [The Windows Autopilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+## [The Windows Autopilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
+## [Demo the Windows Autopilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md)
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md b/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
index 505982b0d1..9efe482c59 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
+++ b/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
@@ -1,6 +1,6 @@
---
-title: Demo the Windows AutoPilot Deployment Program on a Virtual Machine
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows AutoPilot deployment
+title: Demo the Windows Autopilot Deployment Program on a Virtual Machine
+description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ ms.author: daniha
ms.date: 12/21/2017
---
-# Demo the Windows AutoPilot Deployment Program on a Virtual Machine
+# Demo the Windows Autopilot Deployment Program on a Virtual Machine
**Applies to**
- Windows 10
-In this topic you'll learn how to set-up a Windows AutoPilot deployment for a Virtual Machine using Hyper-V.
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V.
## Prerequisites
@@ -27,7 +27,7 @@ These are the thing you'll need on your device to get started:
* Internet access (see [Network connectivity requirements](windows-10-autopilot.md#network-connectivity-requirements))
* Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
-See additional prerequisites in the [Windows AutoPilot overview topic](windows-10-autopilot.md#prerequisites).
+See additional prerequisites in the [Windows Autopilot overview topic](windows-10-autopilot.md#prerequisites).
## Create your Virtual Machine
@@ -49,10 +49,10 @@ Now that Hyper-V is enabled, proceed to create your Virtual Machine.
Open a PowerShell prompt **as an administrator** and run the following:
```powershell
-New-VMSwitch -Name AutoPilotExternal -NetAdapterName -AllowManagementOS $true
-New-VM -Name WindowsAutoPilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutoPilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutoPilotExternal
-Add-VMDvdDrive -Path -VMName WindowsAutoPilot
-Start-VM -VMName WindowsAutoPilot
+New-VMSwitch -Name AutopilotExternal -NetAdapterName -AllowManagementOS $true
+New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+Add-VMDvdDrive -Path -VMName WindowsAutopilot
+Start-VM -VMName WindowsAutopilot
```
>[!IMPORTANT]
@@ -61,14 +61,14 @@ Start-VM -VMName WindowsAutoPilot
### Install Windows 10
-Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutoPilot** Virtual Machine.
+Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutopilot** Virtual Machine.
Make sure the Virtual Machine booted from the installation media you've provided and complete the Windows installation process.
Once the installation is complete, create a checkpoint. You will create multiple checkpoints throughout this process, which you can later use to go through the process again.
To create the checkpoint, open a PowerShell prompt **as an administrator** and run the following:
```powershell
-Checkpoint-VM -Name WindowsAutoPilot -SnapshotName "Finished Windows install"
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
```
## Capture your Virtual Machine's hardware ID
@@ -78,8 +78,8 @@ On the newly created Virtual Machine, open a PowerShell prompt **as an administr
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy Unrestricted
-Install-Script -Name Get-WindowsAutoPilotInfo
-Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
+Install-Script -Name Get-WindowsAutopilotInfo
+Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
>[!NOTE]
@@ -87,34 +87,34 @@ Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
### Mount the Virtual Hard Drive (VHD)
-To gain access to the AutoPilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive.
+To gain access to the AutopilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive.
To do that, on your device (**not** on the Virtual Machine), open a PowerShell prompt **as an administrator** and run the following:
```powershell
-Stop-VM -VMName WindowsAutoPilot
+Stop-VM -VMName WindowsAutopilot
```
Once the Virtual Machine has stopped, create a checkpoint:
```powershell
-Checkpoint-VM -Name WindowsAutoPilot -SnapshotName "HWID captured"
+Checkpoint-VM -Name WindowsAutopilot -SnapshotName "HWID captured"
```
With the checkpoint created, continue to mount the VHD:
```powershell
-Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutoPilot).Path
+Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
```
-Once mounted, navigate to the new drive and copy **AutoPilotHWID.csv** to a location on your device.
+Once mounted, navigate to the new drive and copy **AutopilotHWID.csv** to a location on your device.
Before you proceed, unmount the VHD to unlock it and start the Virtual Machine:
```powershell
-Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutoPilot).Path
-Start-VM -VMName WindowsAutoPilot
+Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
+Start-VM -VMName WindowsAutopilot
```
## Reset Virtual Machine back to Out-Of-Box-Experience (OOBE)
-With the hardware ID captured, prepare your Virtual Machine for Windows AutoPilot deployment by resetting it back to OOBE.
+With the hardware ID captured, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
@@ -158,11 +158,11 @@ For the purposes of this demo, select **All** under the **MDM user scope** and c
## Register your Virtual Machine to your organization
-Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutoPilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
+Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutopilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
-## Create and assign a Windows AutoPilot deployment profile
+## Create and assign a Windows Autopilot deployment profile
Navigate to [Windows enrollment in Microsoft Intune](https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/OverviewBlade/windowsEnrollment).
@@ -170,13 +170,13 @@ Make sure to sync the device you've just registered, by clicking on **Devices**
-### Create a Windows AutoPilot deployment profile
+### Create a Windows Autopilot deployment profile
Click on **Deployment profiles** under **Windows Autopilot Deployment Program (Preview)** and select **Create profile**.
-In the **Create profile** blade, set the name to **AutoPilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
+In the **Create profile** blade, set the name to **Autopilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
| Setting name | Value |
|---|---|
|Privacy Settings|Hide|
@@ -187,15 +187,15 @@ Click on **Save** and **Create**.
-### Assign a Windows AutoPilot deployment profile
+### Assign a Windows Autopilot deployment profile
-With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **AutoPilot Intune Demo** under the **AutoPilot profile**. Click on **Assign**.
+With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **Autopilot Intune Demo** under the **Autopilot profile**. Click on **Assign**.
-
+
Wait a few minutes for all changes to apply.
-## See Windows AutoPilot in action
+## See Windows Autopilot in action
By now, your Virtual Machine should be back to OOBE. Make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding)
, otherwise those changes might not show up.
@@ -204,6 +204,6 @@ Once you select a language and a keyboard layout, your company branded sign-in s
-Windows AutoPilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
Missing something in this topic? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-autopilot-demo-vm.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md
index 86055c3cf1..f935924770 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md
@@ -1,6 +1,6 @@
---
-title: Overview of Windows AutoPilot
-description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices.
+title: Overview of Windows Autopilot
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,32 +12,32 @@ ms.author: daniha
ms.date: 12/13/2017
---
-# Overview of Windows AutoPilot
+# Overview of Windows Autopilot
**Applies to**
- Windows 10
-Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
+Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
-## Benefits of Windows AutoPilot
+## Benefits of Windows Autopilot
-Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
+Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
From the users' perspective, it only takes a few simple operations to make their device ready to use.
From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
-## Windows AutoPilot Scenarios
+## Windows Autopilot Scenarios
### Cloud-Driven
-The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
+The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
-#### The Windows AutoPilot Deployment Program experience
+#### The Windows Autopilot Deployment Program experience
-The Windows AutoPilot Deployment Program enables you to:
+The Windows Autopilot Deployment Program enables you to:
* Automatically join devices to Azure Active Directory (Azure AD)
* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
* Restrict the Administrator account creation
@@ -48,7 +48,7 @@ The Windows AutoPilot Deployment Program enables you to:
* [Devices must be registered to the organization](#device-registration-and-oobe-customization)
* [Company branding needs to be configured](#configure-company-branding-for-oobe)
-* [Network connectivity to cloud services used by Windows AutoPilot](#network-connectivity-requirements)
+* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements)
* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
@@ -71,7 +71,7 @@ MDM enrollment ensures policies are applied, apps are installed and setting are
In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
-If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID.
+If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703:
* Skipping Work or Home usage selection (*Automatic*)
@@ -83,7 +83,7 @@ Once devices are registered, these are the OOBE customization options available
For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
##### Configure company branding for OOBE
@@ -101,7 +101,7 @@ In order for your devices to be auto-enrolled into MDM management, MDM auto-enro
#### Network connectivity requirements
-The Windows AutoPilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
+The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 43202e6dde..cb339d35c0 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,5 +1,5 @@
# [Windows 10 and Windows 10 Mobile](index.md)
-## [Get started](/windows/whats-new/get-started-with-1709)
+## [Get started](/windows/whats-new/whats-new-windows-10-version-1803)
## [What's new](/windows/whats-new)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 40d4c2db5e..adbc774252 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,7 +8,7 @@ author: greg-lindsay
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 03/28/2018
+ms.date: 04/30/2018
---
# Windows 10 and Windows 10 Mobile
@@ -18,14 +18,15 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
+> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
+## Check out [what's new in Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803).
-
+
What's New?
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 7a1ed6b87c..a465944d46 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -154,7 +154,7 @@ sections:
title: Windows Hello for Business
- - href: \windows\security\threat-protection\windows-defender-application-control
+ - href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control
html: Lock down applications that run on a device
@@ -251,7 +251,7 @@ sections:
- html: Windows Defender Firewall
- html: Windows Defender Exploit Guard
- html: Windows Defender Credential Guard
- - html: Windows Defender Device Guard
+ - html: Windows Defender Device Guard
- html: Windows Defender Application Guard
- html: Windows Defender SmartScreen
- html: Windows Defender Security Center
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index ab9300961a..c845e7e6aa 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -3,6 +3,15 @@
## [BitLocker](bitlocker\bitlocker-overview.md)
### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
+#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md)
+#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md)
+#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md)
+#### [Key management](bitlocker\bitlocker-key-management-faq.md)
+#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md)
+#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md)
+#### [Security](bitlocker\bitlocker-security-faq.md)
+#### [BitLocker Network Unlock](bitlocker\bitlocker-network-unlock-faq.md)
+#### [General](bitlocker\bitlocker-using-with-other-programs-faq.md)
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
@@ -42,4 +51,5 @@
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
new file mode 100644
index 0000000000..cb1363a4e0
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -0,0 +1,58 @@
+---
+title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker and Active Directory Domain Services (AD DS) FAQ
+
+**Applies to**
+- Windows 10
+
+
+## What type of information is stored in AD DS?
+
+Stored information | Description
+-------------------|------------
+Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
+BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
+BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde.
+
+## What if BitLocker is enabled on a computer before the computer has joined the domain?
+
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+
+For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
+
+> [!IMPORTANT]
+> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
+
+## Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
+
+Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
+
+Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
+
+## If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
+
+No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
+
+## What happens if the backup initially fails? Will BitLocker retry the backup?
+
+If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
+
+When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+
+For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
new file mode 100644
index 0000000000..a441abbb58
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -0,0 +1,94 @@
+---
+title: BitLocker frequently asked questions (FAQ) (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker Deployment and Administration FAQ
+
+**Applies to**
+- Windows 10
+
+## Can BitLocker deployment be automated in an enterprise environment?
+
+Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
+
+## Can BitLocker encrypt more than just the operating system drive?
+
+Yes.
+
+## Is there a noticeable performance impact when BitLocker is enabled on a computer?
+
+Generally it imposes a single-digit percentage performance overhead.
+
+## How long will initial encryption take when BitLocker is turned on?
+
+Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
+
+You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
+
+## What happens if the computer is turned off during encryption or decryption?
+
+If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
+
+## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
+
+No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
+
+## How can I prevent users on a network from storing data on an unencrypted drive?
+
+You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
+
+## What is Used Disk Space Only encryption?
+
+BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to beencrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
+
+## What system changes would cause the integrity check on my operating system drive to fail?
+
+The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
+
+- Moving the BitLocker-protected drive into a new computer.
+- Installing a new motherboard with a new TPM.
+- Turning off, disabling, or clearing the TPM.
+- Changing any boot configuration settings.
+- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
+
+## What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
+
+Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
+For example:
+
+- Changing the BIOS boot order to boot another drive in advance of the hard drive.
+- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
+- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
+
+In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
+The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
+
+## What can prevent BitLocker from binding to PCR 7?
+
+This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
+
+## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
+
+Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
+
+## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
+
+Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
+
+## Why is "Turn BitLocker on" not available when I right-click a drive?
+Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
+
+## What type of disk configurations are supported by BitLocker?
+Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
+
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index bdeb514ae1..29580800e7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -31,14 +31,9 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
-| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. |
+| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
-| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
-
-The sections that follow describe these improvements in more detail. Also see:
-
-- Additional description of improvements in BitLocker: see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511."
-- Introduction and requirements for BitLocker: see [BitLocker](bitlocker-overview.md).
+| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
## Prepare for drive and file encryption
@@ -81,7 +76,7 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
-BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused.
+BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
index 267a2e2428..85ef97406d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
-ms.date: 10/16/2017
+ms.date: 05/03/2018
---
# BitLocker frequently asked questions (FAQ)
@@ -16,403 +16,17 @@ ms.date: 10/16/2017
**Applies to**
- Windows 10
-This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
-
-BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
-
-- [Overview and requirements](#bkmk-overview)
-- [Upgrading](#bkmk-upgrading)
-- [Deployment and administration](#bkmk-deploy)
-- [Key management](#bkmk-keymanagement)
-- [BitLocker To Go](#bkmk-btgsect)
-- [Active Directory Domain Services (AD DS)](#bkmk-adds)
-- [Security](#bkmk-security)
-- [BitLocker Network Unlock](#bkmk-bnusect)
-- [Other questions](#bkmk-other)
-
-## Overview and requirements
-
-### How does BitLocker work?
-
-**How BitLocker works with operating system drives**
-
-You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
-
-**How BitLocker works with fixed and removable data drives**
-
-You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
-
-### Does BitLocker support multifactor authentication?
-
-Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
-
-### What are the BitLocker hardware and software requirements?
-
-For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements).
-
-> **Note:** Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
-
-### Why are two partitions required? Why does the system drive have to be so large?
-
-Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
-
-### Which Trusted Platform Modules (TPMs) does BitLocker support?
-
-BitLocker supports TPM version 1.2 or higher.
-
-### How can I tell if a TPM is on my computer?
-
-Open the TPM MMC console (tpm.msc) and look under the **Status** heading.
-
-### Can I use BitLocker on an operating system drive without a TPM?
-
-Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
-To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
-
-### How do I obtain BIOS support for the TPM on my computer?
-
-Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
-
-- It is compliant with the TCG standards for a client computer.
-- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
-
-### What credentials are required to use BitLocker?
-
-To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
-
-### What is the recommended boot order for computers that are going to be BitLocker-protected?
-
-You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.
-
-## Upgrading
-
-### Can I upgrade to Windows 10 with BitLocker enabled?
-
-Yes.
-
-### What is the difference between suspending and decrypting BitLocker?
-
-**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
-
-**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
-
-### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
-
-No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
-Users need to suspend BitLocker for Non-Microsoft software updates, such as:
-
-- Computer manufacturer firmware updates
-- TPM firmware updates
-- Non-Microsoft application updates that modify boot components
-
-> **Note:** If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
-
-## Deployment and administration
-
-### Can BitLocker deployment be automated in an enterprise environment?
-
-Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx).
-
-### Can BitLocker encrypt more than just the operating system drive?
-
-Yes.
-
-### Is there a noticeable performance impact when BitLocker is enabled on a computer?
-
-Generally it imposes a single-digit percentage performance overhead.
-
-### How long will initial encryption take when BitLocker is turned on?
-
-Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
-
-You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
-
-### What happens if the computer is turned off during encryption or decryption?
-
-If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
-
-### Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
-
-No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
-
-### How can I prevent users on a network from storing data on an unencrypted drive?
-
-You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
-
-### What system changes would cause the integrity check on my operating system drive to fail?
-
-The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
-
-- Moving the BitLocker-protected drive into a new computer.
-- Installing a new motherboard with a new TPM.
-- Turning off, disabling, or clearing the TPM.
-- Changing any boot configuration settings.
-- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
-
-### What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
-
-Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
-For example:
-
-- Changing the BIOS boot order to boot another drive in advance of the hard drive.
-- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
-- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
-
-In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
-The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
-
-### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
-
-Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
-
-### Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
-
-Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
-
-### Why is "Turn BitLocker on" not available when I right-click a drive?
-Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
-
-### What type of disk configurations are supported by BitLocker?
-Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
-
-## Key management
-
-### What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
-
-For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
-
-### How can the recovery password and recovery key be stored?
-
-The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
-
-For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
-
-A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
-
-### Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
-
-You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use:
-
-`manage-bde –protectors –delete %systemdrive% -type tpm`
-
-`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
-
-
-### When should an additional method of authentication be considered?
-
-New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
-For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
-
-### If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
-
-BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
-
->**Important:** Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
-
-### Can the USB flash drive that is used as the startup key also be used to store the recovery key?
-
-While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
-
-### Can I save the startup key on multiple USB flash drives?
-
-Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
-
-### Can I save multiple (different) startup keys on the same USB flash drive?
-
-Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
-
-### Can I generate multiple (different) startup keys for the same computer?
-
-You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
-
-### Can I generate multiple PIN combinations?
-
-You cannot generate multiple PIN combinations.
-
-### What encryption keys are used in BitLocker? How do they work together?
-
-Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
-
-### Where are the encryption keys stored?
-
-The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
-
-This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
-
-### Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
-
-The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
-
-When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
-
-### How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
-
-It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
-
-The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
-After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
-
-### How can I determine the manufacturer of my TPM?
-
-You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading.
-
-### How can I evaluate a TPM's dictionary attack mitigation mechanism?
-
-The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
-
-- How many failed authorization attempts can occur before lockout?
-- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
-- What actions can cause the failure count and lockout duration to be decreased or reset?
-
-### Can PIN length and complexity be managed with Group Policy?
-
-Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
-
-For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
-## BitLocker To Go
-
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
-
-## Active Directory Domain Services (AD DS)
-
-### What if BitLocker is enabled on a computer before the computer has joined the domain?
-
-If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
-
-For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
-
->**Important:** Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
-
-### Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
-
-Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
-
-Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
-
-### If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
-
-No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
-
-### What happens if the backup initially fails? Will BitLocker retry the backup?
-
-If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
-
-When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
-
-For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
-
-## Security
-
-### What form of encryption does BitLocker use? Is it configurable?
-
-BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
-
-### What is the best practice for using BitLocker on an operating system drive?
-
-The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
-
-### What are the implications of using the sleep or hibernate power management options?
-
-BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
-
-### What are the advantages of a TPM?
-
-Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
-
->**Note:** Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
-
-## BitLocker Network Unlock
-
-BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
-
-To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
-
-BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
-
-Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
-not available you will need to use the recovery key to unlock the computer if it can not be connected to the network.
-
-For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
-
-## Other questions
-
-### Can I run a kernel debugger with BitLocker?
-
-Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
-
-### How does BitLocker handle memory dumps?
-
-BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
-
-### Can BitLocker support smart cards for pre-boot authentication?
-
-BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
-
-### Can I use a non-Microsoft TPM driver?
-
-Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
-
-### Can other tools that manage or modify the master boot record work with BitLocker?
-
-We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
-
-### Why is the system check failing when I am encrypting my operating system drive?
-
-The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
-
-- The computer's BIOS or UEFI firmware cannot read USB flash drives.
-- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
-- There are multiple USB flash drives inserted into the computer.
-- The PIN was not entered correctly.
-- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
-- The startup key was removed before the computer finished rebooting.
-- The TPM has malfunctioned and fails to unseal the keys.
-
-### What can I do if the recovery key on my USB flash drive cannot be read?
-
-Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
-
-### Why am I unable to save my recovery key to my USB flash drive?
-
-The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
-
-### Why am I unable to automatically unlock my drive?
-
-Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
-
-### Can I use BitLocker in Safe Mode?
-
-Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
-
-### How do I "lock" a data drive?
-
-Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
-
->**Note:** Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
-
-The syntax of this command is:
-
-`manage-bde -lock`
-
-Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
-
-### Can I use BitLocker with the Volume Shadow Copy Service?
-
-Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
-
-### Does BitLocker support virtual hard disks (VHDs)?
-
-BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
-
-### Can I use BitLocker with virtual machines (VMs)?
-
-Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
+
+- [Overview and requirements](bitlocker-overview-and-requirements-faq.md)
+- [Upgrading](bitlocker-upgrading-faq.md)
+- [Deployment and administration](bitlocker-deployment-and-administration-faq.md)
+- [Key management](bitlocker-key-management-faq.md)
+- [BitLocker To Go](bitlocker-to-go-faq.md)
+- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md)
+- [Security](bitlocker-security-faq.md)
+- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md)
+- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md)
## More information
@@ -424,4 +38,4 @@ Yes. Password protectors and virtual TPMs can be used with BitLocker to protect
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
-- [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d)
+- [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 41f2b07751..ad44659819 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -393,7 +393,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
**Reference**
-This policy setting is only enforced when BitLocker or device encyption is enabled.
+This policy setting is only enforced when BitLocker or device encyption is enabled. As explained in the [Microoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105).
### Disallow standard users from changing the PIN or password
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
new file mode 100644
index 0000000000..463761dc4c
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -0,0 +1,118 @@
+---
+title: BitLocker Key Management FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker Key Management FAQ
+
+**Applies to**
+- Windows 10
+
+## How can I authenticate or unlock my removable data drive?
+
+You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
+
+Manage-bde -protectors -add e: -sid domain\username
+
+## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
+
+For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
+
+## How can the recovery password and recovery key be stored?
+
+The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
+
+For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
+
+A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
+
+## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
+
+You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
+
+manage-bde –protectors –delete %systemdrive% -type tpm
+
+manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN
+
+
+## When should an additional method of authentication be considered?
+
+New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
+For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
+
+## If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
+
+BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
+
+> [!IMPORTANT]
+> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
+
+## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
+
+While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
+
+## Can I save the startup key on multiple USB flash drives?
+
+Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
+
+## Can I save multiple (different) startup keys on the same USB flash drive?
+
+Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
+
+## Can I generate multiple (different) startup keys for the same computer?
+
+You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
+
+## Can I generate multiple PIN combinations?
+
+You cannot generate multiple PIN combinations.
+
+## What encryption keys are used in BitLocker? How do they work together?
+
+Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
+
+## Where are the encryption keys stored?
+
+The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
+
+This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
+
+## Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
+
+The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
+
+When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
+
+## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
+
+It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
+
+The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
+After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
+
+## How can I determine the manufacturer of my TPM?
+
+You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
+
+## How can I evaluate a TPM's dictionary attack mitigation mechanism?
+
+The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
+
+- How many failed authorization attempts can occur before lockout?
+- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
+- What actions can cause the failure count and lockout duration to be decreased or reset?
+
+## Can PIN length and complexity be managed with Group Policy?
+
+Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
+
+For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
new file mode 100644
index 0000000000..e81773fb08
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
@@ -0,0 +1,30 @@
+---
+title: BitLocker frequently asked questions (FAQ) (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker Network Unlock FAQ
+
+**Applies to**
+- Windows 10
+
+BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
+
+To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
+
+BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
+
+Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
+not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
+
+For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
new file mode 100644
index 0000000000..4ed2e0357c
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
@@ -0,0 +1,70 @@
+---
+title: BitLocker overview and requirements FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker Overview and Requirements FAQ
+
+**Applies to**
+- Windows 10
+
+## How does BitLocker work?
+
+**How BitLocker works with operating system drives**
+
+You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
+
+**How BitLocker works with fixed and removable data drives**
+
+You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
+
+## Does BitLocker support multifactor authentication?
+
+Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
+
+## What are the BitLocker hardware and software requirements?
+
+For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
+
+> [!NOTE]
+> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
+
+## Why are two partitions required? Why does the system drive have to be so large?
+
+Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
+
+## Which Trusted Platform Modules (TPMs) does BitLocker support?
+
+BitLocker supports TPM version 1.2 or higher.
+
+## How can I tell if a TPM is on my computer?
+
+Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading.
+
+## Can I use BitLocker on an operating system drive without a TPM?
+
+Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
+To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
+
+## How do I obtain BIOS support for the TPM on my computer?
+
+Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
+
+- It is compliant with the TCG standards for a client computer.
+- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
+
+## What credentials are required to use BitLocker?
+
+To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
+
+## What is the recommended boot order for computers that are going to be BitLocker-protected?
+
+You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
new file mode 100644
index 0000000000..db335bddd1
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -0,0 +1,38 @@
+---
+title: BitLocker Security FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker Security FAQ
+
+**Applies to**
+- Windows 10
+
+
+## What form of encryption does BitLocker use? Is it configurable?
+
+BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
+
+## What is the best practice for using BitLocker on an operating system drive?
+
+The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
+
+## What are the implications of using the sleep or hibernate power management options?
+
+BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
+
+## What are the advantages of a TPM?
+
+Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
+
+> [!NOTE]
+> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
new file mode 100644
index 0000000000..97c77d3302
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -0,0 +1,22 @@
+---
+title: BitLocker To Go FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker To Go FAQ
+
+**Applies to**
+- Windows 10
+
+## What is BitLocker To Go?
+
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
new file mode 100644
index 0000000000..7384f80699
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -0,0 +1,40 @@
+---
+title: BitLocker Upgrading FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# BitLocker Upgrading FAQ
+
+**Applies to**
+- Windows 10
+
+## Can I upgrade to Windows 10 with BitLocker enabled?
+
+Yes.
+
+## What is the difference between suspending and decrypting BitLocker?
+
+**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
+
+**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
+
+## Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
+
+No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
+Users need to suspend BitLocker for Non-Microsoft software updates, such as:
+
+- Computer manufacturer firmware updates
+- TPM firmware updates
+- Non-Microsoft application updates that modify boot components
+
+> [!NOTE]
+> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
new file mode 100644
index 0000000000..874b4e95dd
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -0,0 +1,95 @@
+---
+title: Using BitLocker with other programs FAQ (Windows 10)
+description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.date: 05/03/2018
+---
+
+# Using BitLocker with other programs FAQ
+
+**Applies to**
+- Windows 10
+
+## Can I use EFS with BitLocker?
+
+Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
+
+## Can I run a kernel debugger with BitLocker?
+
+Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
+
+## How does BitLocker handle memory dumps?
+
+BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
+
+## Can BitLocker support smart cards for pre-boot authentication?
+
+BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
+
+## Can I use a non-Microsoft TPM driver?
+
+Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
+
+## Can other tools that manage or modify the master boot record work with BitLocker?
+
+We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
+
+## Why is the system check failing when I am encrypting my operating system drive?
+
+The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
+
+- The computer's BIOS or UEFI firmware cannot read USB flash drives.
+- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
+- There are multiple USB flash drives inserted into the computer.
+- The PIN was not entered correctly.
+- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
+- The startup key was removed before the computer finished rebooting.
+- The TPM has malfunctioned and fails to unseal the keys.
+
+## What can I do if the recovery key on my USB flash drive cannot be read?
+
+Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
+
+## Why am I unable to save my recovery key to my USB flash drive?
+
+The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
+
+## Why am I unable to automatically unlock my drive?
+
+Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+
+## Can I use BitLocker in Safe Mode?
+
+Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
+
+## How do I "lock" a data drive?
+
+Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
+
+> [!NOTE]
+> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
+
+The syntax of this command is:
+
+manage-bde driveletter -lock
+
+Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
+
+## Can I use BitLocker with the Volume Shadow Copy Service?
+
+Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
+
+## Does BitLocker support virtual hard disks (VHDs)?
+
+BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
+
+## Can I use BitLocker with virtual machines (VMs)?
+
+Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 28b4ca2adc..9069e4634e 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -27,6 +27,9 @@ To avoid the automatic encryption of data, developers can enlighten apps by addi
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
+>[!IMPORTANT]
+>After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
+
>[!Note]
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 862200bf00..51a816a4fa 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -24,7 +24,7 @@ The recovery process included in this topic only works for desktop devices. WIP
>[!IMPORTANT]
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
-**To manually create an EFS DRA certificate**
+## Manually create an EFS DRA certificate
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
@@ -46,7 +46,7 @@ The recovery process included in this topic only works for desktop devices. WIP
>[!Note]
>To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
-**To verify your data recovery certificate is correctly set up on a WIP client computer**
+## Verify your data recovery certificate is correctly set up on a WIP client computer
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP.
@@ -60,7 +60,7 @@ The recovery process included in this topic only works for desktop devices. WIP
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
-**To recover your data using the EFS DRA certificate in a test environment**
+## Recover your data using the EFS DRA certificate in a test environment
1. Copy your WIP-encrypted file to a location where you have admin access.
@@ -72,60 +72,38 @@ The recovery process included in this topic only works for desktop devices. WIP
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
-**To quickly recover WIP-protected desktop data after unenrollment**
+## Recover WIP-protected after unenrollment
-It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
+It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once.
>[!IMPORTANT]
>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
-1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
-
- Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” /EFSRAW
+1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
+
+ Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
- Where ”*new_location*" is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
+ Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
+
+ To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
+
+ 
+
+ If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
+
+ Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
- cipher.exe /D "new_location"
+ cipher.exe /D "new_location"
3. Have your employee sign in to the unenrolled device, and type:
- Robocopy "new_location" “%localappdata%\Microsoft\EDP\Recovery\Input”
+ Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input"
4. Ask the employee to lock and unlock the device.
- The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location.
-
-**To quickly recover WIP-protected desktop data in a cloud-based environment**
-
-If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
-
->[!IMPORTANT]
->To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
-
-1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands:
-
- - If the keys are still stored within the employee's profile, type: Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” * /EFSRAW
-
- -or-
-
- - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” "new_location” * /EFSRAW>
-
- >[!Important]
- >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent.
-
-2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing:
-
- cipher.exe /D “new_location”
-
-3. Have your employee sign in to the device again, open the **Run** command, and type:
-
- Robocopy “new_location” “%localappdata%\Microsoft\EDP\Recovery\Input”
-
-4. Ask the employee to lock and unlock the device.
-
- The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. All your company’s previously revoked files should be accessible to the employee again.
+ The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
## Auto-recovery of encryption keys
Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 044e461c43..48b97409e8 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -509,6 +509,9 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM
Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
+>[!IMPORTANT]
+>Curly braces -- {} -- are required around the RMS Template ID.
+
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
index e7ab3c4b24..68e5de567f 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -420,6 +420,9 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM
Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
+>[!IMPORTANT]
+>Curly braces -- {} -- are required around the RMS Template ID.
+
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
index a874b50962..9014f9ca05 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@@ -256,6 +256,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the
For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
+
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
@@ -555,6 +556,9 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM
Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
+>[!IMPORTANT]
+>Curly braces -- {} -- are required around the RMS Template ID.
+
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png
new file mode 100644
index 0000000000..5ce10dd81f
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png
new file mode 100644
index 0000000000..6bc8237f7f
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png
new file mode 100644
index 0000000000..7d67692ff3
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png
new file mode 100644
index 0000000000..cf48ea50fc
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png
new file mode 100644
index 0000000000..cfeee8a45f
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png b/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png
index 19fd27b480..141e7a1819 100644
Binary files a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png and b/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png
new file mode 100644
index 0000000000..e0dc52bd86
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png
new file mode 100644
index 0000000000..09539d6773
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png
new file mode 100644
index 0000000000..2393cc7eca
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png
new file mode 100644
index 0000000000..4f5a81b9a2
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png differ
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 20431799cb..4227a5f80b 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-author: eross-msft
+author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 09/11/2017
---
@@ -120,7 +120,7 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
-### WIP-protection modes
+### WIP-protection modes
Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 64ba93e280..ab62ce51f4 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -23,6 +23,9 @@ We've come up with a list of suggested testing scenarios that you can use to tes
## Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
+>[!IMPORTANT]
+>If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
+