diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index de9dbd8e9d..f8f2090d66 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -45,6 +45,16 @@
"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker#restart-or-recover-the-clicker",
"redirect_document_id": false
},
+{
+ "source_path": "devices/hololens/hololens-find-and-save-files.md",
+ "redirect_url": "https://docs.microsoft.com/hololens/holographic-data",
+ "redirect_document_id": false
+},
+{
+ "source_path": "devices/hololens/hololens-management-overview.md",
+ "redirect_url": "https://docs.microsoft.com/hololens",
+ "redirect_document_id": false
+},
{
"source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md",
"redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates",
@@ -956,6 +966,11 @@
"redirect_document_id": false
},
{
+"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
+"redirect_document_id": true
+},
+{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
"redirect_document_id": false
@@ -966,6 +981,51 @@
"redirect_document_id": false
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1247,6 +1307,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules",
"redirect_document_id": true
@@ -1357,6 +1422,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/experiment-custom-ti.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1647,11 +1717,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md",
-"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score",
"redirect_document_id": true
@@ -1692,6 +1757,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1762,6 +1832,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/python-example-code.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac",
"redirect_document_id": true
@@ -1894,7 +1969,7 @@
{
"source_path": "windows/keep-secure/troubleshoot-windows-defender-antivirus.md",
"redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus",
- "redirect_document_id": true
+"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md",
@@ -1927,6 +2002,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1977,6 +2057,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md",
+"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles",
"redirect_document_id": true
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000000..7fc05fbd5b
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,5 @@
+docfx.json @microsoftdocs/officedocs-admin
+.openpublishing.build.ps1 @microsoftdocs/officedocs-admin
+.openpublishing.publish.config.json @microsoftdocs/officedocs-admin
+CODEOWNERS @microsoftdocs/officedocs-admin
+.acrolinx-config.edn @microsoftdocs/officedocs-admin
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index 45cd5c2570..640106062b 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -41,7 +41,8 @@
"depot_name": "Win.microsoft-edge",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Edge"
},
"externalReference": [],
"template": "op.html",
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 1cec2c9694..50208546bb 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -37,7 +37,8 @@
"depot_name": "Win.internet-explorer",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Internet Explorer"
},
"externalReference": [],
"template": "op.html",
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index ce3a2dd2a0..6dcad5821b 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -28,7 +28,7 @@
# Navigating Windows Holographic
## [Start menu and mixed reality home](holographic-home.md)
## [Use your voice with HoloLens](hololens-cortana.md)
-## [Find and save files](hololens-find-and-save-files.md)
+## [Find and save files](holographic-data.md)
## [Create, share, and view photos and video](holographic-photos-and-videos.md)
# User management and access management
@@ -53,15 +53,14 @@
## [Spatial mapping on HoloLens](hololens-spaces.md)
# Update, troubleshoot, or recover HoloLens
-## [Update, troubleshoot, or recover HoloLens](hololens-management-overview.md)
## [Update HoloLens](hololens-update-hololens.md)
## [Restart, reset, or recover](hololens-recovery.md)
## [Troubleshoot HoloLens](hololens-troubleshooting.md)
## [Known issues](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
+## [Hololens services status](hololens-status.md)
# [Release Notes](hololens-release-notes.md)
-# [Hololens status](hololens-status.md)
# [Give us feedback](hololens-feedback.md)
# [Join the Windows Insider program](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
diff --git a/devices/hololens/holographic-data.md b/devices/hololens/holographic-data.md
new file mode 100644
index 0000000000..1f28c4fac9
--- /dev/null
+++ b/devices/hololens/holographic-data.md
@@ -0,0 +1,100 @@
+---
+title: Find and save files on HoloLens
+description: Use File Explorer on HoloLens to view and manage files on your device
+keywords: how-to, file picker, files, photos, videos, pictures, OneDrive, storage, file explorer
+ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
+author: mattzmsft
+ms.author: mazeller
+manager: v-miegge
+ms.reviewer: jarrettrenshaw
+ms.date: 12/30/2019
+keywords: hololens
+ms.prod: hololens
+ms.sitesec: library
+ms.topic: article
+audience: ITPro
+ms.localizationpriority: medium
+appliesto:
+- HoloLens (1st gen)
+- HoloLens 2
+---
+
+# Find, open, and save files on HoloLens
+
+Files you create on HoloLens, including photos and videos, are saved directly to your HoloLens device. View and manage them in the same way you would manage files on Windows 10:
+
+- Using the File Explorer app to access local folders.
+- Within an app's storage.
+- In a special folder (such as the video or music library).
+- Using a storage service that includes an app and file picker (such as OneDrive).
+- Using a desktop PC connected to your HoloLens by using a USB cable, using MTP (Media Transfer Protocol) support.
+
+## View files on HoloLens using File Explorer
+
+> Applies to all HoloLens 2 devices and HoloLens (1st gen) as of the [Windows 10 April 2018 Update (RS4) for HoloLens](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018).
+
+Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to **Start** > **All apps** > **File Explorer** to get started.
+
+> [!TIP]
+> If there are no files listed in File Explorer, select **This Device** in the top left pane.
+
+If you don’t see any files in File Explorer, the "Recent" filter may be active (clock icon is highlighted in left pane). To fix this, select the **This Device** document icon in the left pane (beneath the clock icon), or open the menu and select **This Device**.
+
+## Find and view your photos and videos
+
+[Mixed reality capture](holographic-photos-and-videos.md) lets you take mixed reality photos and videos on HoloLens. These photos and videos are saved to the device's Camera Roll folder.
+
+You can access photos and videos taken with HoloLens by:
+
+- accessing the Camera Roll directly through the [Photos app](holographic-photos-and-videos.md).
+- uploading photos and videos to cloud storage by syncing your photos and videos to OneDrive.
+- using the Mixed Reality Capture page of the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#mixed-reality-capture).
+
+### Photos app
+
+The Photos app is one of the default apps on the **Start** menu, and comes built-in with HoloLens. Learn more about [using the Photos app to view content](holographic-photos-and-videos.md).
+
+You can also install the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store to sync photos to other devices.
+
+### OneDrive app
+
+[OneDrive](https://onedrive.live.com/) lets you access, manage, and share your photos and videos with any device and with any user. To access the photos and videos captured on HoloLens, download the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store on your HoloLens. Once downloaded, open the OneDrive app and select **Settings** > **Camera upload**, and turn on **Camera upload**.
+
+### Connect to a PC
+
+If your HoloLens is running the [Windows 10 April 2018 update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) or later, you can connect your HoloLens to a Windows 10 PC by using a USB cable to browse photos and videos on the device by using MTP (media transfer protocol). You'll need to make sure the device is unlocked to browse files if you have a PIN or password set up on your device.
+
+If you have enabled the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal), you can use it to browse, retrieve, and manage the photos and videos stored on your device.
+
+## Access files within an app
+
+If an application saves files on your device, you can use that application to access them.
+
+### Requesting files from another app
+
+An application can request to save a file or open a file from another app by using [file pickers](https://docs.microsoft.com/windows/mixed-reality/app-model#file-pickers).
+
+### Known folders
+
+HoloLens supports a number of [known folders](https://docs.microsoft.com/windows/mixed-reality/app-model#known-folders) that apps can request permission to access.
+
+## View HoloLens files on your PC
+
+Similar to other mobile devices, connect HoloLens to your desktop PC using MTP (Media Transfer Protocol) and open File Explorer on the PC to access your HoloLens libraries for easy transfer.
+
+To see your HoloLens files in File Explorer on your PC:
+
+1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens.
+
+1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device.
+
+To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
+
+> [!NOTE]
+> HoloLens (1st gen) does not support connecting to external hard drives or SD cards.
+
+## Sync to the cloud
+
+To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.
+
+HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up.
diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md
index 203d5185f8..a183165e4a 100644
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@@ -137,7 +137,7 @@ Try walking around and looking at the area where you're placing the app so HoloL
Free up some storage space by doing one or more of the following:
-- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](hololens-find-and-save-files.md)
+- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
- Delete some pictures and videos in the Photos app.
- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.)
diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md
index 1296d0f4bd..cfc55d1070 100644
--- a/devices/hololens/hololens-calibration.md
+++ b/devices/hololens/hololens-calibration.md
@@ -32,6 +32,8 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan
- The user is using the device for the first time
- The user previously opted out of the calibration process
- The calibration process did not succeed the last time the user used the device
+- The user has deleted their calibration profiles
+- The visor is raised and the lowered and any of the above circumstances apply (this may be disabled in **Settings > System > Calibration**.)
@@ -97,7 +99,7 @@ You can also disable the calibration prompt by following these steps:
1. Turn off **When a new person uses this HoloLens, automatically ask to run eye calibration**.
> [!IMPORTANT]
-> Please understand that this setting may adversely affect hologram rendering quality and comfort.
+> This setting may adversely affect hologram rendering quality and comfort. When you turn off this setting, features that depend on eye tracking (such as text scrolling) no longer work in immersive applications.
### HoloLens 2 eye-tracking technology
diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md
index 0729485e7d..82ded27dd3 100644
--- a/devices/hololens/hololens-cortana.md
+++ b/devices/hololens/hololens-cortana.md
@@ -36,6 +36,9 @@ Get around HoloLens faster with these basic commands. In order to use these you
Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.”
+>[!NOTE]
+>Hand rays are not supported on HoloLens (1st Gen).
+
| Say this | To do this |
| - | - |
| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. |
@@ -56,7 +59,7 @@ To use these commands, gaze at a 3D object, hologram, or app window.
| "Face me" | Turn it to face you |
| "Move this" | Move it (follow your gaze) |
| "Close" | Close it |
-| "Follow" / "Stop following" | Make it follow you as you move around |
+| "Follow me" / "Stop following" | Make it follow you as you move around |
### See it, say it
@@ -64,7 +67,7 @@ Many buttons and other elements on HoloLens also respond to your voice—for exa
### Dictation mode
-Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone icon or say "Start dictating." To stop dictating, select **Done** or say "Stop dictating." To delete what you just dictated, say "Delete that."
+Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
> [!NOTE]
> To use dictation mode, you have to have an internet connection.
diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md
deleted file mode 100644
index 098b387e5b..0000000000
--- a/devices/hololens/hololens-find-and-save-files.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Find and save files on HoloLens
-description: Use File Explorer on HoloLens to view and manage files on your device
-ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
-ms.reviewer: jarrettrenshaw
-ms.date: 07/01/2019
-manager: v-miegge
-keywords: hololens
-ms.prod: hololens
-ms.sitesec: library
-author: v-miegge
-ms.author: v-miegge
-ms.topic: article
-ms.localizationpriority: medium
-appliesto:
-- HoloLens (1st gen)
-- HoloLens 2
----
-
-# Find and save files on HoloLens
-
-Add content from [Find and save files](https://docs.microsoft.com/windows/mixed-reality/saving-and-finding-your-files)
-
-
-Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens.
-
-## View files on HoloLens
-
-Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to Start > All apps > File Explorer on HoloLens to get started.
-
->[!TIP]
->If there are no files listed in File Explorer, select **This Device** in the top left pane.
-
-## View HoloLens files on your PC
-
-To see your HoloLens files in File Explorer on your PC:
-
-1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens.
-
-1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device.
-
->[!TIP]
->To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
-
-## Sync to the cloud
-
-To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.
-
->[!TIP]
->HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up.
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 604048e203..1209499d18 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -3,11 +3,12 @@ title: Insider preview for Microsoft HoloLens (HoloLens)
description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
ms.prod: hololens
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: scooley
+ms.author: scooley
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/23/2018
+audience: ITPro
+ms.date: 1/6/2020
ms.reviewer:
manager: dansimp
appliesto:
@@ -17,38 +18,37 @@ appliesto:
# Insider preview for Microsoft HoloLens
-Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
-
-## How do I install the Insider builds?
-
-On a device running the Windows 10 April 2018 Update, go to Settings -> Update & Security -> Windows Insider Program and select Get started. Link the account you used to register as a Windows Insider.
+Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
-Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
+## Start receiving Insider builds
-Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
+On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
-## How do I stop receiving Insider builds?
+Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
-If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](https://docs.microsoft.com/windows/mixed-reality/reset-or-recover-your-hololens#perform-a-full-device-recovery) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
+Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
+
+## Stop receiving Insider builds
+
+If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
To verify that your HoloLens is running a production build:
+
- Go to **Settings > System > About**, and find the build number.
-- If the build number is 10.0.17763.1, your HoloLens is running a production build. [See the list of production build numbers.](https://www.microsoft.com/itpro/windows-10/release-information)
+- [See the release notes for production build numbers.](hololens-release-notes.md)
To opt out of Insider builds:
+
- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**.
- Follow the instructions to opt out your device.
+## Provide feedback and report issues
+Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
+
+>[!NOTE]
+>Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
## Note for developers
You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
-
-## Provide feedback and report issues
-
-Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
-
->[!NOTE]
->Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
-
diff --git a/devices/hololens/hololens-management-overview.md b/devices/hololens/hololens-management-overview.md
deleted file mode 100644
index 307b2f7f00..0000000000
--- a/devices/hololens/hololens-management-overview.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Update, troubleshoot, or recover HoloLens
-description:
-author: Teresa-Motiv
-ms.author: v-tea
-ms.date: 11/27/2019
-ms.prod: hololens
-ms.topic: article
-ms.custom: CSSTroubleshooting
-audience: ITPro
-keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
-manager: jarrettr
-ms.localizationpriority: medium
-appliesto:
-- HoloLens (1st gen)
-- HoloLens 2
----
-
-# Update, troubleshoot, or recover HoloLens
-
-The articles in this section help you keep your HoloLens up-to-date and help you resolve any issues that you encounter.
-
-**In this section**
-
-| Article | Description |
-| --- | --- |
-| [Update HoloLens](hololens-update-hololens.md) | Describes how to identify the build number of your device, and how to update your device manually. |
-| [Manage updates on many HoloLens](hololens-updates.md) | Describes how to use policies to manage device updates. |
-| [Restart, reset, or recover](hololens-recovery.md) | Describes how to restart, reset, or recover a HoloLens device |
-| [Troubleshoot HoloLens](hololens-troubleshooting.md) | Describes solutions to common HoloLens problems. |
-| [Known issues](hololens-known-issues.md) | Describes known HoloLens issues. |
-| [Frequently asked questions](hololens-faq.md) | Provides answers to common questions about HoloLens.|
diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md
index d9d6704c78..4bd8b317ef 100644
--- a/devices/hololens/hololens-multiple-users.md
+++ b/devices/hololens/hololens-multiple-users.md
@@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
1. If another user has been using the device, do one of the following:
- Press the power button once to go to standby, and then press the power button again to return to the lock screen
- - Select the user tile on the upper right of the Pins panel to sign out the current user.
+ - HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
1. Use your Azure AD account credentials to sign in to the device.
If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.
diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md
index 0585bf89f7..b2e0d48bc7 100644
--- a/devices/hololens/hololens-recovery.md
+++ b/devices/hololens/hololens-recovery.md
@@ -106,6 +106,14 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper
5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.)
6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
+>[!TIP]
+>In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
+
+1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
+1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED.
+ 1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device:
+1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
+
### HoloLens (1st gen)
If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool.
@@ -116,7 +124,7 @@ To use the tool, you’ll need a computer running Windows 10 or later, with at l
To recover your HoloLens
-1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer.
+1. Download and install the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq) on your computer.
1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens.
1. Run the Windows Device Recovery Tool and follow the instructions.
diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md
index f977fa45ff..aaf200a4b0 100644
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@@ -22,6 +22,17 @@ appliesto:
> [!Note]
> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
+### January Update - build 18362.1043
+
+- Stability improvements for exclusive apps when working with the HoloLens 2 emulator.
+
+### December Update - build 18362.1042
+
+- Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update.
+- Fixes stability of exclusive apps and navigation between exclusive apps.
+- Resolves an issue where Mixed Reality Capture couldn't record video after device is left in standby state for multiple days.
+- Improves hologram stability.
+
### November Update - build 18362.1039
- Fixes for **"Select"** voice commands during initial set-up for en-CA and en-AU.
diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md
index 75b91e51f9..7102984f4c 100644
--- a/devices/hololens/hololens-troubleshooting.md
+++ b/devices/hololens/hololens-troubleshooting.md
@@ -33,24 +33,26 @@ If your HoloLens becomes frozen or unresponsive:
If these steps don't work, you can try [recovering your device](hololens-recovery.md).
-## Holograms don't look good or are moving around
+## Holograms don't look good
-If your holograms are unstable, jumpy, or don’t look right, try one of these fixes:
+If your holograms are unstable, jumpy, or don’t look right, try:
-- Clean your device visor and make sure that nothing is obstructing the sensors.
-- Make sure that there’s enough light in your room.
-- Try walking around and looking at your surroundings so that HoloLens can scan them more completely.
-- Try running the Calibration app. It calibrates your HoloLens to work best for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
+- Cleaning your device visor and sensor bar on the front of your HoloLens.
+- Increasing the light in your room.
+- Walking around and looking at your surroundings so that HoloLens can scan them more completely.
+- Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
-## HoloLens doesn’t respond to my gestures
+## HoloLens doesn’t respond to gestures
-To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures](hololens1-basic-usage.md#use-hololens-with-your-hands).
+To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring.
+
+Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame).
If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light.
If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
-## HoloLens doesn’t respond to my voice commands.
+## HoloLens doesn’t respond to my voice commands
If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
@@ -64,10 +66,6 @@ If HoloLens can’t map or load your space, it enters Limited mode and you won
- To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
- If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
-## My HoloLens frequently enters Limited mode or shows a “Tracking lost” message
-
-If your device often shows a "Limited mode" or "Tracking lost" message, try the suggestions listed in [My Holograms don't look good or are moving around](#holograms-dont-look-good-or-are-moving-around).
-
## My HoloLens can’t tell what space I’m in
If your HoloLens can’t identify and load the space you’re in automatically, check the following factors:
@@ -90,3 +88,7 @@ You’ll need to free up some storage space by doing one or more of the followin
## My HoloLens can’t create a new space
The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
+
+## The HoloLens emulators isn't working
+
+Information about the HoloLens emulator is located in our developer documentation. Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting).
diff --git a/devices/hololens/hololens2-basic-usage.md b/devices/hololens/hololens2-basic-usage.md
index 1a9ec375af..59426de18e 100644
--- a/devices/hololens/hololens2-basic-usage.md
+++ b/devices/hololens/hololens2-basic-usage.md
@@ -105,8 +105,8 @@ To **close** the Start menu, do the Start gesture when the Start menu is open.
> [!IMPORTANT]
> For the one-handed Start gesture to work:
>
-> 1. You must update to the November 2019 update (build 18363) or later.
-> 1. Your eyes must be calibrated on the device so that eye tracking functions correctly. If you do not see orbiting dots around the Start icon when you look at it, your eyes are not calibrated on the device.
+> 1. You must update to the November 2019 update (build 18363.1039) or later.
+> 1. Your eyes must be calibrated on the device so that eye tracking functions correctly. If you do not see orbiting dots around the Start icon when you look at it, your eyes are not [calibrated](https://docs.microsoft.com/hololens/hololens-calibration#calibrating-your-hololens-2) on the device.
You can also perform the Start gesture with only one hand. To do this, hold out your hand with your palm facing you and look at the **Start icon** on your inner wrist. **While keeping your eye on the icon**, pinch your thumb and index finger together.
diff --git a/devices/hololens/hololens2-fit-comfort-faq.md b/devices/hololens/hololens2-fit-comfort-faq.md
index 397d61bb67..e97e03f502 100644
--- a/devices/hololens/hololens2-fit-comfort-faq.md
+++ b/devices/hololens/hololens2-fit-comfort-faq.md
@@ -43,6 +43,15 @@ Try adjusting the position of your device visor so the holographic frame matches
- **If you need to look up to see holograms**. First, shift the back of the headband a bit higher on your head. Then use one hand to hold the headband in place and the other to gently rotate the visor so you have a good view of the holographic frame.
- **If you need to look down to see holograms**. First, shift the back of the headband a bit lower on your head. Then place your thumbs under the device arms and your index fingers on top of the headband, and gently squeeze with your thumbs to rotate the visor so you have a good view of the holographic frame.
+## Hologram image color or brightness does not look right
+
+For HoloLens 2, take the following steps to ensure the highest visual quality of holograms presented in displays:
+
+- **Increase brightness of the display.** Holograms look best when the display is at its brightest level.
+- **Bring visor closer to your eyes.** Swing the visor down to the closest position to your eyes.
+- **Shift visor down.** Try moving the brow pad on your forehead down, which will result in the visor moving down closer to your nose.
+- **Run eye calibration.** The display uses your IPD and eye gaze to optimize images on the display. If you don't run eye calibration, the image quality may be made worse.
+
## The device slides down when I'm using it, or I need to make the headband too tight to keep it secure
The overhead strap can help keep your HoloLens secure on your head, particularly if you're moving around a lot. The strap may also let you loosen the headband a bit. [Learn how to use it](hololens2-setup.md#adjust-fit).
diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md
index 31e4077fbc..9c56ec9d8c 100644
--- a/devices/hololens/hololens2-language-support.md
+++ b/devices/hololens/hololens2-language-support.md
@@ -17,7 +17,7 @@ appliesto:
# Supported languages for HoloLens 2
-HoloLens 2 supports the following languages. This support includes voice commands and dictation features.
+HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps.
- Chinese Simplified (China)
- English (Australia)
@@ -39,7 +39,35 @@ HoloLens 2 is also available in the following languages. However, this support d
## Changing language or keyboard
+The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**.
+
> [!NOTE]
> Your speech and dictation language depends on the Windows display language.
->
-To change the Windows display language, region, or keyboard settings, use the start gesture to open the **Start** menu, and then select **Settings** > **Time and Language** > **Language**.
+
+## To change the Windows display language
+
+1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**.
+2. Select **Windows display language**, and then select a language.
+
+If the supported language you’re looking for is not in the menu, follow these steps:
+
+1. Under **Preferred languages** select **Add a language**.
+2. Search for and add the language.
+3. Select the **Windows display language** menu again and choose the language you added.
+
+The Windows display language affects the following settings for Windows and for apps that support localization:
+
+- The user interface text language.
+- The speech language.
+- The default layout of the on-screen keyboard.
+
+## To change the keyboard layout
+
+To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**.
+
+If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard.
+
+> [!NOTE]
+> The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME.
+>
+> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~.
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 6725da5e81..98835e4ce5 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -55,4 +55,4 @@ appliesto:
## Related resources
* [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development)
-* [HoloLens release notes](https://developer.microsoft.com/windows/mixed-reality/release_notes)
+* [HoloLens release notes](https://docs.microsoft.com/hololens/hololens-release-notes)
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index c0de52de12..59d2d76a0d 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -7,6 +7,7 @@
### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md)
### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
### [Adjust Surface Hub 2S brightness, volume, and input](surface-hub-2s-onscreen-display.md)
+### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
## Plan
### [Surface Hub 2S Site Readiness Guide](surface-hub-2s-site-readiness-guide.md)
@@ -58,6 +59,7 @@
### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md)
### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md)
+### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d)
## Plan
### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index d74914168f..8eba3c49b1 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -51,7 +51,8 @@
"jborsecnik",
"tiburd",
"garycentric"
- ]
+ ],
+ "titleSuffix": "Surface Hub"
},
"externalReference": [],
"template": "op.html",
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index e4fa9986f3..f60588a000 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -30,7 +30,6 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index d3fdb628ab..7f3793ed3f 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -49,6 +49,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
```PowerShell
New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force)
```
+[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods.
3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md
index 3312d5f4ec..fb93b0e7d9 100644
--- a/devices/surface-hub/surface-hub-2s-account.md
+++ b/devices/surface-hub/surface-hub-2s-account.md
@@ -47,7 +47,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell.
- **Skype for Business:** For Skype for Business only (on-premises or online), you can enable the Skype for Business object by running **Enable-CsMeetingRoom** to enable features such as Meeting room prompt for audio and Lobby hold.
-- **Calendar:** Set **Calendar Auto processing** for this account.
+- **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account.
## Create account using PowerShell
Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell.
diff --git a/devices/surface-hub/surface-hub-2s-adoption-kit.md b/devices/surface-hub/surface-hub-2s-adoption-kit.md
index 78ec22ee3d..2cc29c519b 100644
--- a/devices/surface-hub/surface-hub-2s-adoption-kit.md
+++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md
@@ -15,7 +15,7 @@ ms.localizationpriority: Medium
# Surface Hub 2S adoption and training guides
-Whether you are a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization.
+Whether you're a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization.
## On-demand training
diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md
index e71d37def0..be1df464ef 100644
--- a/devices/surface-hub/surface-hub-2s-manage-intune.md
+++ b/devices/surface-hub/surface-hub-2s-manage-intune.md
@@ -28,7 +28,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a
### Auto registration — Azure Active Directory Affiliated
-When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods).
+During the initial setup process, when affiliating a Surface Hub with an Azure AD tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune.
## Windows 10 Team Edition settings
@@ -69,6 +69,6 @@ You can set the Microsoft Teams app mode using Intune. Surface Hub 2S comes inst
To set modes, add the following settings to a custom Device Configuration Profile.
|**Name**|**Description**|**OMA-URI**|**Type**|**Value**|
-|:------ |:------------- |:--------- |:------ |:------- |
-|**Teams App ID**| App name | ./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId | String | Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams |
-|**Teams App Mode**| Teams mode | ./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode | Integer | 0 or 1 or 2 |
+|:--- |:--- |:--- |:--- |:--- |
+|**Teams App ID**|App name|./Vendor/MSFT/SurfaceHub/Properties/VtcAppPackageId|String| Microsoft.MicrosoftTeamsforSurfaceHub_8wekyb3d8bbwe!Teams|
+|**Teams App Mode**|Teams mode|./Vendor/MSFT/SurfaceHub/Properties/SurfaceHubMeetingMode|Integer| 0 or 1 or 2|
diff --git a/devices/surface-hub/surface-hub-2s-prepare-environment.md b/devices/surface-hub/surface-hub-2s-prepare-environment.md
index fba71d0e0e..5f10258934 100644
--- a/devices/surface-hub/surface-hub-2s-prepare-environment.md
+++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md
@@ -17,34 +17,34 @@ ms.localizationpriority: Medium
## Office 365 readiness
-You may use Exchange and Skype for Business on-premises with Surface Hub 2S. However, if you use Exchange Online, Skype for Business Online, Microsoft Teams or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints).
+If you use Exchange Online, Skype for Business Online, Microsoft Teams, or Microsoft Whiteboard, and intend to manage Surface Hub 2S with Intune, first review the [Office 365 requirements for endpoints](https://docs.microsoft.com/office365/enterprise/office-365-endpoints).
-Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet level inspection or processing. This feature reduces latency and your perimeter capacity requirements.
+Office 365 endpoints help optimize your network by sending all trusted Office 365 network requests directly through your firewall, bypassing all additional packet-level inspection or processing. This feature reduces latency and your perimeter capacity requirements.
-Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up-to-date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service).
+Microsoft regularly updates the Office 365 service with new features and functionality, which may alter required ports, URLs, and IP addresses. To evaluate, configure, and stay up to date with changes, subscribe to the [Office 365 IP Address and URL Web service](https://docs.microsoft.com/office365/enterprise/office-365-ip-web-service).
## Device affiliation
Use Device affiliation to manage user access to the Settings app on Surface Hub 2S.
-With the Windows 10 Team Edition operating system — that runs on Surface Hub 2S — only authorized users can adjust settings via the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
+With the Windows 10 Team Edition operating system (that runs on Surface Hub 2S), only authorized users can adjust settings using the Settings app. Since choosing the affiliation can impact feature availability, plan appropriately to ensure that users can access features as intended.
> [!NOTE]
> You can only set Device affiliation during the initial out-of-box experience (OOBE) setup. If you need to reset Device affiliation, you’ll have to repeat OOBE setup.
## No affiliation
-No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [Bitlocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune, however only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.
+No affiliation is like having Surface Hub 2S in a workgroup with a different local Administrator account on each Surface Hub 2S. If you choose No affiliation, you must locally save the [BitLocker Key to a USB thumb drive](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq). You can still enroll the device with Intune; however, only the local admin can access the Settings app using the account credentials configured during OOBE. You can change the Administrator account password from the Settings app.
## Active Directory Domain Services
-If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app via a security group on your domain, ensuring that all security group members have permissions to change settings on Surface Hub 2S. Note also the following:
+If you affiliate Surface Hub 2S with on-premises Active Directory Domain Services, you need to manage access to the Settings app using a security group on your domain. This helps ensure that all security group members have permissions to change settings on Surface Hub 2S. Also note the following:
-- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the Bitlocker key can be saved in the AD Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies).
+- When Surface Hub 2S affiliates with your on-premises Active Directory Domain Services, the BitLocker key can be saved in the Active Directory Schema. For more information, see [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies).
- Your organization’s Trusted Root CAs are pushed to the same container in Surface Hub 2S, which means you don’t need to import them using a provisioning package.
- You can still enroll the device with Intune to centrally manage settings on your Surface Hub 2S.
## Azure Active Directory
-When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
+When you choose to affiliate your Surface Hub 2S with Azure Active Directory (Azure AD), any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S.
-If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s Bitlocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.
+If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s BitLocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work.
diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md
index 5c28202363..af763b9e26 100644
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@@ -15,46 +15,55 @@ ms.localizationpriority: Medium
# Reset and recovery for Surface Hub 2S
-If you encounter problems with Surface Hub 2S, you can reset the device to factory settings or recover using a USB drive.
+If you encounter problems with Surface Hub 2S, you can reset the device to factory settings or restore by using a USB drive.
-To begin, sign into Surface Hub 2S with admin credentials, open the **Settings** app, select **Update & security**, and then select **Recovery**.
+To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings** app, select **Update & security**, and then select **Recovery**.
-## Reset device
+## Reset the device
-1. To reset, select **Get Started**.
-2. When the **Ready to reset this device** window appears, select **Reset**. Surface Hub 2S reinstalls the operating system from the recovery partition and may take up to one hour to complete.
-3. Run **the first time Setup program** to reconfigure the device.
-4. If you manage the device using Intune or other mobile device manager (MDM) solution, retire and delete the previous record and re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe).
+1. To reset the device, select **Get Started**.
+2. When the **Ready to reset this device** window appears, select **Reset**.
+ >[!NOTE]
+ >Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete.
+3. To reconfigure the device, run the first-time Setup program.
+4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe).
-*Figure 1. Reset and recovery for Surface Hub 2S.*
+*Figure 1. Reset and recovery for Surface Hub 2S*
-## Recover Surface Hub 2S using USB recovery drive
+## Recover Surface Hub 2S by using a USB recovery drive
-New in Surface Hub 2S, you can now reinstall the device using a recovery image.
+New in Surface Hub 2S, you can now reinstall the device by using a recovery image.
-### Recover from USB drive
+### Recovery from a USB drive
-Surface Hub 2S lets you reinstall the device using a recovery image, which allows you to reinstall the device to factory settings if you lost the Bitlocker key or no longer have admin credentials to the Settings app.
+Using Surface Hub 2S, you can reinstall the device by using a recovery image. By doing this, you can reinstall the device to the factory settings if you lost the BitLocker key, or if you no longer have admin credentials to the Settings app.
-1. Begin with a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32.
-2. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions.
-3. Unzip the downloaded file onto the root of the USB drive.
-4. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S.
-5. Turn off the device. While holding down the Volume down button, press the Power button. Keep holding both buttons until you see the Windows logo. Release the Power button but continue to hold the Volume until the Install UI begins.
+>[!NOTE]
+>Use a USB 3.0 drive with 8 GB or 16 GB of storage, formatted as FAT32.
-
+1. From a separate PC, download the .zip file recovery image from the [Surface Recovery website](https://support.microsoft.com/surfacerecoveryimage?devicetype=surfacehub2s) and then return to these instructions.
+1. Unzip the downloaded file onto the root of the USB drive.
+1. Connect the USB drive to any USB-C or USB-A port on Surface Hub 2S.
+1. Turn off the device:
+ 1. While holding down the Volume down button, press the Power button.
+ 1. Keep holding both buttons until you see the Windows logo.
+ 1. Release the Power button but continue to hold the Volume until the Install UI begins.
-6. In the language selection screen, select the display language for your Surface Hub 2S.
-7. Choose **Recover from a drive** and **Fully clean the drive** and then select **Recover**. If prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process.
-Remove the USB drive when the first time setup screen appears.
+ 
+ **Figure 2. Volume and Power buttons**
+
+1. On the language selection screen, select the display language for your Surface Hub 2S.
+1. Select **Recover from a drive** and **Fully clean the drive**, and then select **Recover**. If you're prompted for a BitLocker key, select **Skip this drive**. Surface Hub 2S reboots several times and takes approximately 30 minutes to complete the recovery process.
+
+When the first-time setup screen appears,remove the USB drive.
## Recover a locked Surface Hub
-On rare occasions, Surface Hub 2S may encounter an error during cleanup of user and app data at the end of a session. If this occurs, the device will automatically reboot and resume data cleanup. But if this operation fails repeatedly, the device will be automatically locked to protect user data.
+At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data.
-**To unlock Surface Hub 2S:**
-Reset or recover the device from Windows Recovery Environment (Windows RE). For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
+**To unlock a Surface Hub 2S:**
+- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
> [!NOTE]
-> To enter recovery mode, you need to physically unplug and replug the power cord three times.
+> To enter recovery mode, unplug the power cord and plug it in again three times.
diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md
index b3f42b32cf..d12281f55b 100644
--- a/devices/surface-hub/surface-hub-site-readiness-guide.md
+++ b/devices/surface-hub/surface-hub-site-readiness-guide.md
@@ -1,12 +1,12 @@
---
title: Surface Hub Site Readiness Guide
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Use this Site Readiness Guide to help plan your Surface Hub installation.
ms.prod: surface-hub
ms.sitesec: library
-author: dansimp
-ms.author: dansimp
+author: greg-lindsay
+ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
---
@@ -28,7 +28,7 @@ The room needs to be large enough to provide good viewing angles, but small enou
- The screen is not in direct sunlight, which could affect viewing or damage the screen.
- Ventilation openings are not blocked.
- Microphones are not affected by noise sources, such as fans or vents.
-You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub.
+You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For cleaning, care, and safety information, see the mounting guides and user guide at https://www.microsoft.com/surface/support/surface-hub.
### Hardware considerations
@@ -47,7 +47,7 @@ For details about cable ports, see the [55” Microsoft Surface Hub technical in
Microsoft Surface Hub has an internal PC and does not require an external computer system.
-For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub.
+For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at https://www.microsoft.com/surface/support/surface-hub.
### Data and other connections
@@ -77,7 +77,7 @@ Before you move Surface Hub, make sure that all the doorways, thresholds, hallwa
### Unpacking Surface Hub
-For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container. These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub
+For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container. These instructions can also be found here: https://www.microsoft.com/surface/support/surface-hub
>[!IMPORTANT]
>Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it
@@ -85,17 +85,17 @@ for repairs. For the 84” Surface Hub, retain the lifting handles.
### Lifting Surface Hub
-The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub.
+The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at https://www.microsoft.com/surface/support/surface-hub.
## Mounting and setup
-See your mounting guide at http://www.microsoft.com/surface/support/surface-hub for detailed instructions.
+See your mounting guide at https://www.microsoft.com/surface/support/surface-hub for detailed instructions.
There are three ways to mount your Surface Hub:
- **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall.
- **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall.
-- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub.
+- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see https://www.microsoft.com/surface/support/surface-hub.
For specifications on available mounts for the original Surface Hub, see the following:
@@ -129,13 +129,10 @@ For example, to provide audio, video, and touchback capability to all three vide
When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand.
-For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub.
+For details on Touchback and Inkback, see the user guide at https://www.microsoft.com/surface/support/surface-hub.
## See also
-[Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)
-
-
-
+[Watch the video (opens in a pop-up media player)](https://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index b46f7b2edd..468e0d3329 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -182,7 +182,3 @@ This example shows a link to a website and a link to a .pdf file. The secondary
>[!NOTE]
>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark.
-
-## More information
-
-- [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/)
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index bc07173a20..943400d44c 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -442,7 +442,7 @@ This update brings the Windows 10 Team Anniversary Update to Surface Hub and inc
* General
* Enabled Audio Device Selection (for Surface Hubs attached using external audio devices)
* Enabled support for HDCP on DisplayPort output connector
- * System UI changes to settings for usability optimization (refer to [User and Admin Guides](http://www.microsoft.com/surface/support/surface-hub) for additional details)
+ * System UI changes to settings for usability optimization (refer to [User and Admin Guides](https://www.microsoft.com/surface/support/surface-hub) for additional details)
* Bug fixes and performance optimizations to speed up the Azure Active Directory sign-in flow
* Significantly improved time needed to reset and restore Surface Hub
* Windows Defender UI has been added within settings
@@ -520,9 +520,9 @@ This update to the Surface Hub includes quality improvements and security fixes.
## Related topics
-* [Windows 10 feature road map](http://go.microsoft.com/fwlink/p/?LinkId=785967)
-* [Windows 10 release information](http://go.microsoft.com/fwlink/p/?LinkId=724328)
-* [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq)
-* [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327)
-* [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968)
-* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447)
+* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967)
+* [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328)
+* [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq)
+* [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327)
+* [Microsoft Lumia update history](https://go.microsoft.com/fwlink/p/?LinkId=785968)
+* [Get Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=616447)
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index bd0195adcd..8d94858bfa 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -1,6 +1,6 @@
---
title: How Surface Hub addresses Wi-Fi Direct security issues
-description: This topic provides guidance on Wi-Fi Direct security risks.
+description: Guidance about Wi-Fi Direct security risks.
keywords: change history
ms.prod: surface-hub
ms.sitesec: library
@@ -15,101 +15,103 @@ ms.localizationpriority: medium
# How Surface Hub addresses Wi-Fi Direct security issues
-Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
+Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection through Wi-Fi Direct.
-This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
+This article describes Wi-Fi Direct security vulnerabilities, how Surface Hub addresses those risks, and how administrators can configure Surface Hub for the highest level of security. This information will help customers who have high security requirements protect their Surface Hub-connected networks and data in transit.
-The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
+The intended audiences for this article are IT and network administrators who want to deploy Surface Hub in their corporate environment with optimal security settings.
## Overview
-Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
+Security for Surface Hub depends extensively on Wi-Fi Direct/Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Because the device only supports WPS (as opposed to WPA2 Pre-Shared Key [PSK] or WPA2 Enterprise), the issues often associated with 802.11 encryption are simplified.
-It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hub’s implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker – even after compromising the Wi-Fi Direct / Miracast layer – to move past the network interface onto other attack surfaces and connected enterprise networks.
+Surface Hub operates on par with the field of Miracast receivers. So, it's vulnerable to a similar set of exploits as all WPS-based wireless network devices. But the Surface Hub implementation of WPS has extra precautions built in. Also, its internal architecture helps prevent an attacker who has compromised the Wi-Fi Direct/Miracast layer from moving past the network interface onto other attack surfaces and connected enterprise networks.
## Wi-Fi Direct background
-Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
+Miracast is part of the Wi-Fi Display standard, which is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
-Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
+Wi-Fi Direct or Wi-Fi "peer to peer" (P2P) is a standard from the Wi-Fi Alliance for "Ad-Hoc" networks. Supported devices can communicate directly and create groups of networks without a conventional Wi-Fi access point or Internet connection.
-Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
+Security for Wi-Fi Direct is provided by WPA2 under the WPS standard. The authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual push button (WPS-PBC), or an out-of-band message such as near field communication (WPS-OOO). Surface Hub supports both the PIN method and the push-button method, which is the default.
-In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
+In Wi-Fi Direct, groups are created as one of the following types:
+- *Persistent*, in which automatic reconnection can occur by using stored key material
+- *Temporary*, in which devices can't re-authenticate without user action
+Wi-Fi Direct groups determine a *group owner* (GO) through a negotiation protocol, which mimics the "station" or "access point" functionality for the established Wi-Fi Direct group. The Wi-Fi Direct GO provides authentication (via an "internal registrar") and facilitates upstream network connections. For Surface Hub, this GO negotiation doesn't occur. The network only operates in "autonomous" mode, and Surface Hub is always the group owner. Finally, Surface Hub itself doesn't join other Wi-Fi Direct networks as a client.
-## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
+## How Surface Hub addresses Wi-Fi Direct vulnerabilities
-**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
+**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process:** Wi-Fi Direct/Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
-|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+|Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner. | Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
-| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted. | By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
+| The discovery process may remain active for an extended period of time, which could allow invitations and connections to be established without the approval of the device owner. | Surface Hub only operates as the group owner, which doesn't perform the client discovery or GO negotiation processes. You can fully disable wireless projection to turn off broadcast. |
+| Invitation and discovery through PBC allows an unauthenticated attacker to perform repeated connection attempts, or unauthenticated connections are automatically accepted. | By requiring WPS PIN security, administrators can reduce the potential for such unauthorized connections or "invitation bombs," in which invitations are repeatedly sent until a user mistakenly accepts one. |
-**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use.
+**Wi-Fi Protected Setup (WPS) push button connect (PBC) vs PIN entry:** Public weaknesses have been demonstrated in WPS-PIN method design and implementation. WPS-PBC has other vulnerabilities that could allow active attacks against a protocol that's designed for one-time use.
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hub’s configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
-| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. | The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
-| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
+| WPS-PBC is vulnerable to active attackers. The WPS specification states: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack." Attackers can use selective wireless jamming or other denial-of-service techniques to trigger an unintended Wi-Fi Direct GO or connection. Also, an active attacker who merely has physical proximity can repeatedly tear down any Wi-Fi Direct group and attempt the attack until it succeeds. | Enable WPS-PIN security in Surface Hub configuration. The Wi-Fi WPS specification states: "The PBC method should only be used if no PIN-capable registrar is available and the WLAN user is willing to accept the risks associated with PBC." |
+| WPS-PIN implementations can be subject to brute-force attacks that target a vulnerability in the WPS standard. The design of split PIN verification led to multiple implementation vulnerabilities over the past several years across a range of Wi-Fi hardware manufacturers. In 2011, researchers Stefan Viehböck and Craig Heffner released information about this vulnerability and tools such as "Reaver" as a proof of concept. | The Microsoft implementation of WPS in Surface Hub changes the PIN every 30 seconds. To crack the PIN, an attacker must complete the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force PIN-cracking attack through WPS is unlikely to succeed. |
+| WPS-PIN can be cracked by an offline attack because of weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard described a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) in the wireless device allowed an offline brute-force attack. | The Microsoft implementation of WPS in Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
-**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
+**Unintended exposure of network services:** Network daemons that are intended for Ethernet or WLAN services may be accidentally exposed because of misconfiguration (such as binding to "all"/0.0.0.0 interfaces). Other possible causes include a poorly configured device firewall or missing firewall rules.
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
+| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This can expose services that shouldn't be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | In Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Configure strong authentication by enabling the WPS-PIN mode.|
-**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
+**Bridging Wi-Fi Direct and other wired or wireless networks:** Network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification. Such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. | Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
+| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This might allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or to enterprise WLAN networks in violation of existing IT security protocols. | Surface Hub can't be configured to bridge wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
-**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
+**The use of Wi-Fi Direct "legacy" mode:** Exposure to unintended networks or devices may occur when you operate in "legacy" mode. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
-
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. | Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
+| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection-setup phase indefinitely, allowing groups to be joined or devices invited to connect well after their intended setup phase terminates. | Surface Hub doesn't support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
-**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device.
+**Wi-Fi Direct GO negotiation during connection setup:** The group owner in Wi-Fi Direct is analogous to the "access point" in a conventional 802.11 wireless network. The negotiation can be gamed by a malicious device.
-|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+|Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.) | Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
+| If groups are dynamically established or the Wi-Fi Direct device can be made to join new groups, the group owner negotiation can be won by a malicious device that always specifies the maximum group owner "intent" value of 15. (But the connection fails if the device is configured to always be a group owner.) | Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode," which skips the GO negotiation phase of connection setup. And Surface Hub is always the group owner. |
-**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
+**Unintended or malicious Wi-Fi deauthentication:** Wi-Fi deauthentication is an old attack in which a local attacker can expedite information leaks in the connection-setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attacks, or create denial-of-service attacks.
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include: enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. | The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
-| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. | Enable WPS-PIN security within Surface Hub’s configuration. |
+| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate then to sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigation for these attack includes enforcing length and complexity policies for pre-shared keys, configuring the access point (if applicable) to detect malicious levels of deauthentication packets, and using WPS to automatically generate strong keys. In PBC mode, the user interacts with a physical or virtual button to allow arbitrary device association. This process should happen only at setup, within a short window. After the button is automatically "pushed," the device will accept any station that associates via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. | Surface Hub uses WPS in PIN or PBC mode. No PSK configuration is permitted. This method helps enforce generation of strong keys. It's best to enable WPS-PIN security for Surface Hub. |
+| In addition to denial-of-service attacks, deauthentication packets can be used to trigger a reconnect that re-opens the window of opportunity for active attacks against WPS-PBC. | Enable WPS-PIN security in the Surface Hub configuration. |
-**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
+**Basic wireless information disclosure:** Wireless networks, 802.11 or otherwise, are inherently at risk of information disclosure. Although this information is mostly connection or device metadata, this problem remains a known risk for any 802.11 network administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements. | The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
+| During broadcast, connection setup, or even normal operation of already-encrypted connections, basic information about devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker who's within wireless range can examine the relevant 802.11 information elements to determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details, such as the version of the wireless stack, packet sizes, or the configured access point or group owner options. | The Wi-Fi Direct network that Surface Hub uses can't be further protected from metadata leaks, just like for 802.11 Enterprise or PSK wireless networks. Physical security and removal of potential threats from wireless proximity can help reduce potential information leaks. |
-**Wireless evil twin or spoofing attacks**: Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
+**Wireless evil twin or spoofing attacks:** Spoofing the wireless name is a simple, well-known exploit a local attacker can use to lure unsuspecting or mistaken users to connect.
-| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
+| Wi-Fi Direct vulnerability | Surface Hub mitigation |
| --- | --- |
-| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. | While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
+| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to a fake, malicious network. By supporting unauthenticated, auto-join Miracast, an attacker could capture the intended display materials or launch network attacks on the connecting device. | While there are no specific protections against joining a spoofed Surface Hub, this vulnerability is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the first connection. Subsequent connections use a persistent Wi-Fi Direct group, and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel, and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall, this weakness is a fundamental problem for any 802.11 wireless network that lacks Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which Wi-Fi Direct doesn't support. |
## Surface Hub hardening guidelines
-Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
+Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. The default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
-For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
+For additional wireless interface security, Surface Hub users should enable the WPS-PIN security setting. This setting disables WPS-PBC mode and offers client authentication. It provides the strongest level of protection by preventing unauthorized connection to Surface Hub.
-If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
+If you still have concerns about authentication and authorization for Surface Hub, we recommend that you connect the device to a separate network. You could use Wi-Fi (such as a "guest" Wi-Fi network) or a separate Ethernet network, preferably an entirely different physical network. But a VLAN can also provide added security. Of course, this approach may preclude connections to internal network resources or services and may require additional network configuration to regain access.
-Also recommended:
-- [Install regular system updates.](manage-windows-updates-for-surface-hub.md)
-- Update the Miracast settings to disable auto-present mode.
+Also recommended:
+- [Install regular system updates](manage-windows-updates-for-surface-hub.md)
+- Update the Miracast settings to disable auto-present mode
## Learn more
@@ -118,7 +120,3 @@ Also recommended:
-
-
-
-
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 351b6d2449..2513abc0f9 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -16,30 +16,25 @@ ms.reviewer:
manager: dansimp
---
-# Considerations for Surface and Microsoft Endpoint Configuration Manager
+# Considerations for Surface and System Center Configuration Manager
-Fundamentally, management and deployment of Surface devices with Endpoint Configuration Manager (formerly known as System Center Configuration Manager or SCCM) is the same as the management and deployment of any other PC. Like other PCs, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device.
+Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client; to publish apps, settings, and policies, you use the same process as you would use for any other device.
-You can find more information about how to use Configuration Manager to deploy and manage devices in the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/sccm/index).
+You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
-Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.
+Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios. The solutions documented in this article may apply to other devices and manufacturers as well.
->[!NOTE]
->For management of Surface devices it is recommended that you use the Current Branch of Endpoint Configuration Manager.
-
-## Support for Surface Pro X
-Beginning in version 1802, Endpoint Configuration Manager includes client management support for Surface Pro X. Note however that running the Endpoint Configuration Manager agent on Surface Pro X may accelerate battery consumption. In addition, operating system deployment using Endpoint Configuration Manager is not supported on Surface Pro X. For more information, refer to:
-- [What's new in version 1802 of System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/plan-design/changes/whats-new-in-version-1802)
-- [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
+> [!NOTE]
+> For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
## Updating Surface device drivers and firmware
-For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-As .msi files, deployment of driver and firmware updates is performed in the same manner as deployment of an application. Instead of installing an application as would normally happen when an .msi file is run, the Surface driver and firmware .msi will apply the driver and firmware updates to the device. The single .msi file contains the driver and firmware updates required by each component of the Surface device. The updates for firmware are applied the next time the device reboots. You can read more about the .msi installation method for Surface drivers and firmware in [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). For more information about how to deploy applications with Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
+For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or System Center Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/).
->[!NOTE]
->Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2 – for more information see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
+
+> [!NOTE]
+> Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into System Center Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419).
## Surface Ethernet adapters and Configuration Manager deployment
@@ -47,43 +42,42 @@ The default mechanism that Configuration Manager uses to identify devices during
To ensure that Surface devices using the same Ethernet adapter are identified as unique devices during deployment, you can instruct Configuration Manager to identify devices using another method. This other method could be the MAC address of the wireless network adapter or the System Universal Unique Identifier (System UUID). You can specify that Configuration Manager use other identification methods with the following options:
-* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/).
+* Add an exclusion for the MAC addresses of Surface Ethernet adapters, which forces Configuration Manager to overlook the MAC address in preference of the System UUID, as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
-* Prestage devices by System UUID as documented in [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/).
+* Prestage devices by System UUID as documented in the [Reusing the same NIC for multiple PXE initiated deployments in System Center Configuration Manager OSD](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/) blog post.
-* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/).
+* Use a script to identify a newly deployed Surface device by the MAC address of its wireless adapter, as documented in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post.
Another consideration for the Surface Ethernet adapter during deployments with Configuration Manager is the driver for the Ethernet controller. Beginning in Windows 10, version 1511, the driver for the Surface Ethernet adapter is included by default in Windows. For organizations that want to deploy the latest version of Windows 10 and use the latest version of WinPE, use of the Surface Ethernet adapter requires no additional actions.
-For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, refer to [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/).
+For versions of Windows prior to Windows 10, version 1511 (including Windows 10 RTM and Windows 8.1), you may still need to install the Surface Ethernet adapter driver and include the driver in your WinPE boot media. With its inclusion in Windows 10, the driver is no longer available for download from the Microsoft Download Center. To download the Surface Ethernet adapter driver, download it from the Microsoft Update Catalog as documented in the [Surface Ethernet Drivers](https://blogs.technet.microsoft.com/askcore/2016/08/18/surface-ethernet-drivers/) blog post from the Ask The Core Team blog.
## Deploy Surface app with Configuration Manager
-With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. For more information including PowerShell commands for deploying Surface app, refer to [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Microsoft Store for Business in the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
## Use prestaged media with Surface clients
If your organization uses prestaged media to pre-load deployment resources on to machines prior to deployment with Configuration Manager, the nature of Surface devices as UEFI devices may require you to take additional steps. Specifically, a native UEFI environment requires that you create multiple partitions on the boot disk of the system. If you are following along with the [documentation for prestaged media](https://technet.microsoft.com/library/79465d90-4831-4872-96c2-2062d80f5583?f=255&MSPPError=-2147217396#BKMK_CreatePrestagedMedia), the instructions provide for only single partition boot disks and therefore will fail when applied to Surface devices.
-To apply prestaged media to UEFI devices, such as Surface devices, refer to [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/).
+Instructions for applying prestaged media to UEFI devices, such as Surface devices, can be found in the [How to apply Task Sequence Prestaged Media on multi-partitioned disks for BIOS or UEFI PCs in System Center Configuration Manager](https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2014/04/02/how-to-apply-task-sequence-prestaged-media-on-multi-partitioned-disks-for-bios-or-uefi-pcs-in-system-center-configuration-manager/) blog post.
## Licensing conflicts with OEM Activation 3.0
Surface devices come preinstalled with a licensed copy of Windows. For example, Surface Pro 4 is preinstalled with Windows 10 Professional. The license key for this preinstalled copy of Windows is embedded in the firmware of the device with OEM Activation 3.0 (OA 3.0). When you run Windows installation media on a device with an OA 3.0 key, Windows setup automatically reads the license key and uses it to install and activate Windows. In most situations, this simplifies the reinstallation of Windows, because the user does not have to find or enter a license key.
-When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services (KMS) or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
+When you reimage a device by using Windows Enterprise, this embedded license key does not cause a conflict. This is because the installation media for Windows Enterprise is configured to install only an Enterprise edition of Windows and therefore is incompatible with the license key embedded in the system firmware. If a product key is not specified (such as when you intend to activate with Key Management Services [KMS] or Active Directory Based Activation), a Generic Volume License Key (GVLK) is used until Windows is activated by one of those technologies.
-However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file (see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/library/hh824952.aspx)) to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
+However, issues may arise when organizations intend to use versions of Windows that are compatible with the firmware embedded key. For example, an organization that wants to install Windows 10 Professional on a Surface 3 device that originally shipped with Windows 10 Home edition may encounter difficulty when Windows setup automatically reads the Home edition key during installation and installs as Home edition rather than Professional. To avoid this conflict, you can use the Ei.cfg or Pid.txt file to explicitly instruct Windows setup to prompt for a product key, or you can enter a specific product key in the deployment task sequence. For more information, see [Windows Setup Edition Configuration and Product ID Files](https://technet.microsoft.com/library/hh824952.aspx). If you do not have a specific key, you can use the default product keys for Windows, which you can find in [Customize and deploy a Windows 10 operating system](https://dpcenter.microsoft.com/en/Windows/Build/cp-Windows-10-build) on the Device Partner Center.
## Apply an asset tag during deployment
-Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. For more information, refer to [Surface Asset Tag Tool](assettag.md).
+Surface Studio, Surface Book, Surface Pro 4, Surface Pro 3, and Surface 3 devices all support the application of an asset tag in UEFI. This asset tag can be used to identify the device from UEFI even if the operating system fails, and it can also be queried from within the operating system. To read more about the Surface Asset Tag function, see the [Asset Tag Tool for Surface Pro 3](https://blogs.technet.microsoft.com/askcore/2014/10/20/asset-tag-tool-for-surface-pro-3/) blog post.
-To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions in [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/).
+To apply an asset tag using the [Surface Asset Tag CLI Utility](https://www.microsoft.com/download/details.aspx?id=44076) during a Configuration Manager deployment task sequence, use the script and instructions found in the [Set Surface Asset Tag During a Configuration Manager Task Sequence](https://blogs.technet.microsoft.com/jchalfant/set-surface-pro-3-asset-tag-during-a-configuration-manager-task-sequence/) blog post.
## Configure push-button reset
When you deploy Windows to a Surface device, the push-button reset functionality of Windows is configured by default to revert the system back to a state where the environment is not yet configured. When the reset function is used, the system discards any installed applications and settings. Although in some situations it can be beneficial to restore the system to a state without applications and settings, in a professional environment this effectively renders the system unusable to the end user.
Push-button reset can be configured, however, to restore the system configuration to a state where it is ready for use by the end user. Follow the process outlined in [Deploy push-button reset features](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/deploy-push-button-reset-features) to customize the push-button reset experience for your devices.
-
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index fafc824f21..42faacbcac 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -47,7 +47,8 @@
"jborsecnik",
"tiburd",
"garycentric"
- ]
+ ],
+ "titleSuffix": "Surface"
},
"externalReference": [],
"template": "op.html",
diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md
index 8c512f48c2..47c2ffed10 100644
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@@ -21,11 +21,10 @@ When deploying Surface devices in point of sale or other “always-on”
kiosk scenarios, you can optimize power management using the new Surface
Brightness Control app.
-Available for download with [Surface Tools for
-IT](https://www.microsoft.com/download/details.aspx?id=46703), Surface Brightness Control is
-designed to help reduce thermal load and lower the overall carbon
-footprint for deployed Surface devices. The tool automatically dims the screen when not in use and
-includes the following configuration options:
+Available for download with [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703).
+Surface Brightness Control is designed to help reduce thermal load and lower the overall carbon footprint for deployed Surface devices.
+If you plan to get only this tool from the download page, select the file **Surface_Brightness_Control_v1.16.137.0.msi** in the available list.
+The tool automatically dims the screen when not in use and includes the following configuration options:
- Period of inactivity before dimming the display.
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index 104b12b126..751ea36a4d 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -50,9 +50,6 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm
> [!NOTE]
> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
-> [!NOTE]
-> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
-
For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
> [!IMPORTANT]
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index 3e867c8f49..26e145c547 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -62,18 +62,19 @@ Some third-party antivirus software cannot be installed on a Windows 10 PC runni
## Servicing Surface Pro X
-Outside of personal devices that rely on Windows Update, servicing devices in most corporate environments requires downloading and managing the deployment of .MSI files to update target devices. Refer to the following documentation, which will be updated later to include guidance for servicing Surface Pro X:
+Surface Pro X supports Windows 10, version 1903 and later. As an ARM-based device, it has specific requirements for maintaining the latest drivers and firmware.
-- [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+Surface Pro X was designed to use Windows Update to simplify the process of keeping drivers and firmware up to date for both home users and small business users. Use the default settings to receive Automatic updates. To verify:
-> [!NOTE]
-> Surface Pro X supports Windows 10, version 1903 and later.
+1. Go to **Start** > **Settings > Update & Security > Windows Update** > **Advanced Options.**
+2. Under **Choose how updates are installed,** select **Automatic (recommended)**.
-### Windows Server Update Services
-Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
-
-For more information, refer to the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/sum/get-started/configure-classifications-and-products).
+### Recommendations for commercial customers
+- Use Windows Update or Windows Update for Business for maintaining the latest drivers and firmware. For more information, see [Deploy Updates using Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
+- If your procedures require using a Windows Installer .msi file, contact [Surface for Business support](https://support.microsoft.com/help/4037645).
+- For more information about deploying and managing updates on Surface devices, see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
+- Note that Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X.
## Running apps on Surface Pro X
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 85b5bfa7d1..09000265e6 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -1,6 +1,6 @@
---
title: Use Microsoft Endpoint Configuration Manager to manage devices with SEMM (Surface)
-description: Learn how to manage SEMM with Endpoint Configuration Manager.
+description: Learn how to manage Microsoft Surface Enterprise Management Mode (SEMM) with Endpoint Configuration Manager.
keywords: enroll, update, scripts, settings
ms.prod: w10
ms.mktglfcycl: manage
@@ -18,16 +18,16 @@ ms.audience: itpro
# Use Microsoft Endpoint Configuration Manager to manage devices with SEMM
-The Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices allows administrators to both manage and secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
+The Microsoft Surface Enterprise Management Mode (SEMM) feature of Surface UEFI devices lets administrators manage and help secure the configuration of Surface UEFI settings. For most organizations, this process is accomplished by creating Windows Installer (.msi) packages with the Microsoft Surface UEFI Configurator tool. These packages are then run or deployed to the client Surface devices to enroll the devices in SEMM and to update the Surface UEFI settings configuration.
-For organizations with Endpoint Configuration Manager, (formerly known as System Center Configuration Manager or SCCM) there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
+For organizations with Endpoint Configuration Manager (formerly known as System Center Configuration Manager or SCCM), there is an alternative to using the Microsoft Surface UEFI Configurator .msi process to deploy and administer SEMM. Microsoft Surface UEFI Manager is a lightweight installer that makes required assemblies for SEMM management available on a device. By installing these assemblies with Microsoft Surface UEFI Manager on a managed client, SEMM can be administered by Configuration Manager with PowerShell scripts, deployed as applications. With this process, SEMM management is performed within Configuration Manager, which eliminates the need for the external Microsoft Surface UEFI Configurator tool.
->[!Note]
->Although the process described in this article may work with earlier versions of Endpoint Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of Endpoint Configuration Manager.
+> [!Note]
+> Although the process described in this article may work with earlier versions of Endpoint Configuration Manager or with other third-party management solutions, management of SEMM with Microsoft Surface UEFI Manager and PowerShell is supported only with the Current Branch of Endpoint Configuration Manager.
#### Prerequisites
-Before you begin the process outlined in this article, it is expected that you are familiar with the following technologies and tools:
+Before you begin the process outlined in this article, familiarize yourself with the following technologies and tools:
* [Surface UEFI](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings)
* [Surface Enterprise Management Mode (SEMM)](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode)
@@ -52,60 +52,60 @@ After Microsoft Surface UEFI Manager is installed on the client Surface device,
Deployment of Microsoft Surface UEFI Manager is a typical application deployment. The Microsoft Surface UEFI Manager installer file is a standard Windows Installer file that you can install with the [standard quiet option](https://msdn.microsoft.com/library/windows/desktop/aa367988).
-The command to install Microsoft Surface UEFI Manager is:
+The command to install Microsoft Surface UEFI Manager is as follows.
`msiexec /i "SurfaceUEFIManagerSetup.msi" /q`
-The command to uninstall Microsoft Surface UEFI Manager is:
+The command to uninstall Microsoft Surface UEFI Manager is as follows.
`msiexec /x {541DA890-1AEB-446D-B3FD-D5B3BB18F9AF} /q`
To create a new application and deploy it to a collection that contains your Surface devices, perform the following steps:
-1. Open Configuration Manager Console from the Start screen or Start menu.
-2. Click **Software Library** in the bottom left corner of the window.
-3. Expand the Application Management node of the Software Library, and then click **Applications**.
-4. Click the **Create Application** button under the **Home** tab at the top of the window. This starts the Create Application Wizard.
+1. Open Configuration Manager Console from the **Start** screen or **Start** menu.
+2. Select **Software Library** in the bottom left corner of the window.
+3. Expand the **Application Management** node of the Software Library, and then select **Applications**.
+4. Select the **Create Application** button under the **Home** tab at the top of the window. This starts the Create Application Wizard.
5. The Create Application Wizard presents a series of steps:
- * **General** – The **Automatically detect information about this application from installation files** option is selected by default. In the **Type** field, **Windows Installer (*.msi file)** is also selected by default. Click **Browse** to navigate to and select **SurfaceUEFIManagerSetup.msi**, and then click **Next**.
+ * **General** – The **Automatically detect information about this application from installation files** option is selected by default. In the **Type** field, **Windows Installer (.msi file)** is also selected by default. Select **Browse** to navigate to and select **SurfaceUEFIManagerSetup.msi**, and then select **Next**.
- >[!Note]
- >The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that contains no other files. A local file location cannot be used.
+ > [!Note]
+ > The location of SurfaceUEFIManagerSetup.msi must be on a network share and located in a folder that contains no other files. A local file location cannot be used.
- * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Click **Next** to proceed.
+ * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed.
*Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
- * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Click Next to proceed.
- * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Click **Next** to confirm your selections and create the application.
+ * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Select **Next** to proceed.
+ * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Select **Next** to confirm your selections and create the application.
* **Progress** – Displays a progress bar and status as the application is imported and added to the Software Library.
- * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+ * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Select **Close** to finish the Create Application Wizard.
-After the application is created in Configuration Manager, you can distribute it to your distribution points and deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the Surface device – it only provides the assemblies required for SEMM to be enabled via PowerShell script.
+After the application is created in Configuration Manager, you can distribute it to your distribution points and deploy it to the collections including your Surface devices. This application will not install or enable SEMM on the Surface device. It only provides the assemblies required for SEMM to be enabled using the PowerShell script.
If you do not want to install the Microsoft Surface UEFI Manager assemblies on devices that will not be managed with SEMM, you can configure Microsoft Surface UEFI Manager as a dependency of the SEMM Configuration Manager scripts. This scenario is covered in the [Deploy SEMM Configuration Manager Scripts](#deploy-semm-configuration-manager-scripts) section later in this article.
## Create or modify the SEMM Configuration Manager scripts
-After the required assemblies have been installed on the devices, the process of enrolling the devices in SEMM and configuring Surface UEFI is done with PowerShell scripts and deployed as a script application with Configuration Manager. These scripts can be modified to fit the needs of your organization and environment. For example, you can create multiple configurations for managed Surface devices in different departments or roles. You can download samples of the scripts for SEMM and Configuration Manager at the link in the [Prerequisites](#prerequisites) section at the beginning of this article.
+After the required assemblies have been installed on the devices, the process of enrolling the devices in SEMM and configuring Surface UEFI is done with PowerShell scripts and deployed as a script application with Configuration Manager. These scripts can be modified to fit the needs of your organization and environment. For example, you can create multiple configurations for managed Surface devices in different departments or roles. You can download samples of the scripts for SEMM and Configuration Manager from the link in the [Prerequisites](#prerequisites) section at the beginning of this article.
-There are two primary scripts you will need to perform a SEMM deployment with Configuration Manager:
+There are two primary scripts you will need in order to perform a SEMM deployment with Configuration Manager:
-* **ConfigureSEMM.ps1** – Use this script to create configuration packages for your Surface devices with your desired Surface UEFI settings, to apply the specified settings to a Surface device, to enroll the device in SEMM, and to set a registry key used to identify the enrollment of the device in SEMM.
+* **ConfigureSEMM.ps1** – Use this script to create configuration packages for your Surface devices with your desired Surface UEFI settings to apply the specified settings to a Surface device, to enroll the device in SEMM, and to set a registry key used to identify the enrollment of the device in SEMM.
* **ResetSEMM.ps1** – Use this script to reset SEMM on a Surface device, which unenrolls it from SEMM and removes the control over Surface UEFI settings.
The sample scripts include examples of how to set Surface UEFI settings and how to control permissions to those settings. These settings can be modified to secure Surface UEFI and set Surface UEFI settings according to the needs of your environment. The following sections of this article explain the ConfigureSEMM.ps1 script and explore the modifications you need to make to the script to fit your requirements.
->[!NOTE]
->The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder with no other files before they are added to Configuration Manager.
+> [!NOTE]
+> The SEMM Configuration Manager scripts and the exported SEMM certificate file (.pfx) should be placed in the same folder with no other files before they are added to Configuration Manager.
### Specify certificate and package names
-The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script:
+The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script.
```
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
@@ -128,14 +128,14 @@ The first region of the script that you need to modify is the portion that speci
73 $password = "1234"
```
-Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory.
+Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and then copies the certificate file to this working directory.
Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script.
-On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text.
+On line 73, replace the value of the **$password** variable, from **1234** to the password for your certificate file. If a password is not required, delete the **1234** text.
->[!Note]
->The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this:
+> [!Note]
+> The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this.
```
150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
@@ -148,20 +148,20 @@ On line 73, replace the value of the **$password** variable, from 1234, to the p
Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process:
-1. Right-click the .pfx file, and then click **Open**.
+1. Right-click the .pfx file, and then select **Open**.
2. Expand the folder in the navigation pane.
-3. Click **Certificates**.
-4. Right-click your certificate in the main pane, and then click **Open**.
-5. Click the **Details** tab.
+3. Select **Certificates**.
+4. Right-click your certificate in the main pane, and then select **Open**.
+5. Select the **Details** tab.
6. **All** or **Properties Only** must be selected in the **Show** drop-down menu.
7. Select the field **Thumbprint**.
->[!NOTE]
->The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable Configuration Manager to remove SEMM from the device with the uninstall action.
+> [!NOTE]
+> The SEMM certificate name and password must also be entered in this section of the ResetSEMM.ps1 script to enable Configuration Manager to remove SEMM from the device with the uninstall action.
### Configure permissions
-The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras:
+The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras.
```
210 # Configure Permissions
@@ -213,7 +213,7 @@ You can find information about the available settings names and IDs for Surface
### Configure settings
-The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows:
+The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows.
```
291 # Configure Settings
@@ -271,11 +271,11 @@ You can find information about the available settings names and IDs for Surface
### Settings registry key
-To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location:
+To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location.
`HKLM\SOFTWARE\Microsoft\Surface\SEMM`
-The following code fragment, found on lines 380-477, is used to write these registry keys:
+The following code fragment, found on lines 380-477, is used to write these registry keys.
```
380 # For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
@@ -443,11 +443,11 @@ After your scripts are prepared to configure and enable SEMM on the client devic
* ResetSEMM.ps1
* Your SEMM certificate (for example SEMMCertificate.pfx)
-The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is:
+The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is as follows.
`Powershell.exe -file ".\ConfigureSEMM.ps1"`
-The command to uninstall SEMM with ResetSEMM.ps1 is:
+The command to uninstall SEMM with ResetSEMM.ps1 is as follows.
`Powershell.exe -file ".\ResetSEMM.ps1"`
@@ -457,82 +457,82 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
2. Proceed through The Create Application Wizard as follows:
- - **General** – Select **Manually specify the application information**, and then click **Next**.
+ - **General** – Select **Manually specify the application information**, and then select **Next**.
- - **General Information** – Enter a name for the application (for example SEMM) and any other information you want such as publisher, version, or comments on this page. Click **Next** to proceed.
+ - **General Information** – Enter a name for the application (for example SEMM) and any other information you want such as publisher, version, or comments on this page. Select **Next** to proceed.
- - **Application Catalog** – The fields on this page can be left with their default values. Click **Next**.
+ - **Application Catalog** – The fields on this page can be left with their default values. Select **Next**.
- - **Deployment Types** – Click **Add** to start the Create Deployment Type Wizard.
+ - **Deployment Types** – Select **Add** to start the Create Deployment Type Wizard.
- Proceed through the steps of the Create Deployment Type Wizard, as follows:
- * **General** – Click **Script Installer** from the **Type** drop-down menu. The **Manually specify the deployment type information** option will automatically be selected. Click **Next** to proceed.
- * **General Information** – Enter a name for the deployment type (for example SEMM Configuration Scripts), and then click **Next** to continue.
- * **Content** – Click **Browse** next to the **Content Location** field, and then click the folder where your SEMM Configuration Manager scripts are located. In the **Installation Program** field, type the [installation command](#deploy-semm-configuration-manager-scripts) found earlier in this article. In the **Uninstall Program** field, enter the [uninstallation command](#deploy-semm-configuration-manager-scripts) found earlier in this article (shown in Figure 2). Click **Next** to move to the next page.
+ * **General** – Select **Script Installer** from the **Type** drop-down menu. The **Manually specify the deployment type information** option will automatically be selected. Select **Next** to proceed.
+ * **General Information** – Enter a name for the deployment type (for example SEMM Configuration Scripts), and then select **Next** to continue.
+ * **Content** – Select **Browse** next to the **Content Location** field, and then select the folder where your SEMM Configuration Manager scripts are located. In the **Installation Program** field, type the [installation command](#deploy-semm-configuration-manager-scripts) found earlier in this article. In the **Uninstall Program** field, enter the [uninstallation command](#deploy-semm-configuration-manager-scripts) found earlier in this article (shown in Figure 2). Select **Next** to move to the next page.
*Figure 2. Set the SEMM Configuration Manager scripts as the install and uninstall commands*
- * **Detection Method** – Click **Add Clause** to add the SEMM Configuration Manager script registry key detection rule. The **Detection Rule** window is displayed, as shown in Figure 3. Use the following settings:
+ * **Detection Method** – Select **Add Clause** to add the SEMM Configuration Manager script registry key detection rule. The **Detection Rule** window is displayed, as shown in Figure 3. Use the following settings:
- - Click **Registry** from the **Setting Type** drop-down menu.
- - Click **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
+ - Select **Registry** from the **Setting Type** drop-down menu.
+ - Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
- Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field.
- Enter **Enabled_Version1000** in the **Value** field.
- - Click **String** from the **Data Type** drop-down menu.
- - Click the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
+ - Select **String** from the **Data Type** drop-down menu.
+ - Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
- Enter **1** in the **Value** field.
- - Click **OK** to close the **Detection Rule** window.
+ - Select **OK** to close the **Detection Rule** window.
*Figure 3. Use a registry key to identify devices enrolled in SEMM*
- * Click **Next** to proceed to the next page.
+ * Select **Next** to proceed to the next page.
- * **User Experience** – Click **Install for system** from the **Installation Behavior** drop-down menu. If you want your users to record and enter the certificate thumbprint themselves, leave the logon requirement set to **Only when a user is logged on**. If you want your administrators to enter the thumbprint for users and the users do not need to see the thumbprint, click **Whether or not a user is logged on** from the **Logon Requirement** drop-down menu.
+ * **User Experience** – Select **Install for system** from the **Installation Behavior** drop-down menu. If you want your users to record and enter the certificate thumbprint themselves, leave the logon requirement set to **Only when a user is logged on**. If you want your administrators to enter the thumbprint for users and the users do not need to see the thumbprint, select **Whether or not a user is logged on** from the **Logon Requirement** drop-down menu.
- * **Requirements** – The ConfigureSEMM.ps1 script automatically verifies that the device is a Surface device before attempting to enable SEMM. However, if you intend to deploy this script application to a collection with devices other than those to be managed with SEMM, you could add requirements here to ensure this application would run only on Surface devices or devices you intend to manage with SEMM. Click **Next** to continue.
+ * **Requirements** – The ConfigureSEMM.ps1 script automatically verifies that the device is a Surface device before attempting to enable SEMM. However, if you intend to deploy this script application to a collection with devices other than those to be managed with SEMM, you could add requirements here to ensure this application would run only on Surface devices or devices you intend to manage with SEMM. Select **Next** to continue.
- * **Dependencies** – Click **Add** to open the **Add Dependency** window.
+ * **Dependencies** – Select **Add** to open the **Add Dependency** window.
- * Click **Add** to open the **Specify Required Application** window.
+ * Select **Add** to open the **Specify Required Application** window.
- Enter a name for the SEMM dependencies in the **Dependency Group Name** field (for example, *SEMM Assemblies*).
- - Click **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then click **OK** to close the **Specify Required Application** window.
+ - Select **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then select **OK** to close the **Specify Required Application** window.
- * Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Click **OK** to close the **Add Dependency** window.
+ * Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Select **OK** to close the **Add Dependency** window.
- * Click **Next** to proceed.
+ * Select **Next** to proceed.
- * **Summary** – The information you have entered throughout the Create Deployment Type wizard is displayed on this page. Click **Next** to confirm your selections.
+ * **Summary** – The information you have entered throughout the Create Deployment Type wizard is displayed on this page. Select **Next** to confirm your selections.
* **Progress** – A progress bar and status as the deployment type is added for the SEMM script application is displayed on this page.
- * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Click **Close** to finish the Create Deployment Type Wizard.
+ * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Select **Close** to finish the Create Deployment Type Wizard.
- - **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Click **Next** to create the application.
+ - **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Select **Next** to create the application.
- **Progress** – A progress bar and status as the application is added to the Software Library is displayed on this page.
- - **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+ - **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Select **Close** to finish the Create Application Wizard.
After the script application is available in the Software Library of Configuration Manager, you can distribute and deploy SEMM using the scripts you prepared to devices or collections. If you have configured the Microsoft Surface UEFI Manager assemblies as a dependency that will be automatically installed, you can deploy SEMM in a single step. If you have not configured the assemblies as a dependency, they must be installed on the devices you intend to manage before you enable SEMM.
When you deploy SEMM using this script application and with a configuration that is visible to the end user, the PowerShell script will start and the thumbprint for the certificate will be displayed by the PowerShell window. You can have your users record this thumbprint and enter it when prompted by Surface UEFI after the device reboots.
-Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user – in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
+Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user. In this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
> [!NOTE]
> Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
>
-> We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
+> We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that, just like the certificate itself, this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
>
-> When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
+> When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package. The device will prompt for the certificate thumbprint before ownership is taken.
>
> For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index 0ee065cb59..00ad750ca8 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -10,7 +10,7 @@ ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
ms.topic: article
-ms.date: 10/10/2019
+ms.date: 12/30/2019
ms.reviewer: scottmca
manager: dansimp
ms.audience: itpro
@@ -44,6 +44,8 @@ The following devices are supported for WOL:
* Surface Go
* Surface Go with LTE Advanced
* Surface Studio 2 (see Surface Studio 2 instructions below)
+* Surface Pro 7
+* Surface Laptop 3
## WOL driver
@@ -66,15 +68,15 @@ To enable WOL on Surface Studio 2, you must use the following procedure
1. Create the following registry keys:
- ```
-; Set CONNECTIVITYINSTANDBY to 1:
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9]
-"Attributes"=dword:00000001
-; Set EnforceDisconnectedStandby to 0 and AllowSystemRequiredPowerRequests to 1:
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power]
-"EnforceDisconnectedStandby"=dword:00000000
-"AllowSystemRequiredPowerRequests"=dword:00000001
-```
+ ```console
+ ; Set CONNECTIVITYINSTANDBY to 1:
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\F15576E8-98B7-4186-B944-EAFA664402D9]
+ "Attributes"=dword:00000001
+ ; Set EnforceDisconnectedStandby to 0 and AllowSystemRequiredPowerRequests to 1:
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power]
+ "EnforceDisconnectedStandby"=dword:00000000
+ "AllowSystemRequiredPowerRequests"=dword:00000001
+ ```
2. Run the following command
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index 2be171841b..36283c8d84 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -1,5 +1,5 @@
---
-title: Windows Autopilot and Surface Devices
+title: Windows Autopilot and Surface devices
ms.reviewer:
manager: dansimp
description: Find out about Windows Autopilot deployment options for Surface devices.
@@ -18,22 +18,27 @@ ms.date: 11/26/2019
# Windows Autopilot and Surface devices
-Windows Autopilot is a cloud-based deployment technology available in Windows 10. Using Windows Autopilot, you can remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot registered devices are identified over the internet at first boot using a unique device signature, known as a hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM).
+Windows Autopilot is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot to remotely deploy and configure devices in a zero-touch process right out of the box.
-With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process eliminates need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
+Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a *hardware hash*. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
+
+You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution.
## Modern management
-Autopilot is the recommended deployment option for Surface devices including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed to be deployed with Autopilot.
+Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot.
- For the best experience, enroll your Surface devices with the assistance of a Microsoft Cloud Solution Provider. Doing so enables you to manage UEFI firmware settings on Surface devices directly from Intune, eliminating the need to physically touch devices for certificate management. For more information, see [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
+ It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details.
## Windows version considerations
-Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update) or later. These versions support a 4000-byte (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale. All new Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3 ship with Windows 10 Version 1903 or above.
+Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later.
+
+These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later.
## Surface partners enabled for Windows Autopilot
-Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
-When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include:
+Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management.
+
+Surface partners that are enabled for Windows Autopilot include:
- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
- [Atea](https://www.atea.com/)
@@ -48,6 +53,6 @@ When you purchase Surface devices from a Surface partner enabled for Windows Aut
- [Techdata](https://www.techdata.com/)
## Learn more
-For more information about Windows Autopilot, refer to:
+For more information about Windows Autopilot, see:
- [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot)
- [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements)
\ No newline at end of file
diff --git a/mdop/agpm/troubleshooting-agpm40-upgrades.md b/mdop/agpm/troubleshooting-agpm40-upgrades.md
index c19488dbb0..0275e8dc91 100644
--- a/mdop/agpm/troubleshooting-agpm40-upgrades.md
+++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md
@@ -39,3 +39,18 @@ This section lists common issues that you may encounter when you upgrade your Ad
- Install the required hotfix.
- Connect to AGPM using an AGPM client to test that your difference reports are now functioning.
+
+## Install Hotfix Package 1 for Microsoft Advanced Group Policy Management 4.0 SP3
+
+**Issue fixed in this hotfix**: AGPM can't generate difference reports when it controls or manages new Group Policy Objects (GPOs).
+
+**How to get this update**: Install the latest version of Microsoft Desktop Optimization Pack ([March 2017 Servicing Release](https://www.microsoft.com/download/details.aspx?id=54967)). See [KB 4014009](https://support.microsoft.com/help/4014009/) for more information.
+
+More specifically, you can choose to download only the first file, `AGPM4.0SP1_Server_X64_KB4014009.exe`, from the list presented after pressing the download button.
+
+The download link to the Microsoft Desktop Optimization Pack (March 2017 Servicing Release) can be found [here](https://www.microsoft.com/download/details.aspx?id=54967).
+
+
+## Reference link
+https://support.microsoft.com/help/3127165/hotfix-package-1-for-microsoft-advanced-group-policy-management-4-0-sp
+
diff --git a/mdop/docfx.json b/mdop/docfx.json
index c037b4fa3c..e6f79ff24a 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -51,7 +51,8 @@
"jborsecnik",
"tiburd",
"garycentric"
- ]
+ ],
+ "titleSuffix": "Microsoft Desktop Optimization Pack"
},
"externalReference": [],
"template": "op.html",
diff --git a/mdop/mbam-v2/TOC.md b/mdop/mbam-v2/TOC.md
index ee098e3a8b..4bb822bfb4 100644
--- a/mdop/mbam-v2/TOC.md
+++ b/mdop/mbam-v2/TOC.md
@@ -36,8 +36,8 @@
## [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
### [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
#### [Getting Started - Using MBAM with Configuration Manager](getting-started---using-mbam-with-configuration-manager.md)
-#### [Planning to Deploy MBAM with Configuration Manager [2 [MBAM_2](planning-to-deploy-mbam-with-configuration-manager-2.md)
-#### [Deploying MBAM with Configuration Manager [MBAM2 [MBAM_2](deploying-mbam-with-configuration-manager-mbam2.md)
+#### [Planning to Deploy MBAM with Configuration Manager](planning-to-deploy-mbam-with-configuration-manager-2.md)
+#### [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md)
##### [How to Create or Edit the mof Files](how-to-create-or-edit-the-mof-files.md)
###### [Edit the Configuration.mof File](edit-the-configurationmof-file.md)
###### [Create or Edit the Sms_def.mof File](create-or-edit-the-sms-defmof-file.md)
diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md
index eefee88047..a921105176 100644
--- a/mdop/mbam-v25/deploy-mbam.md
+++ b/mdop/mbam-v25/deploy-mbam.md
@@ -1,13 +1,14 @@
---
title: Deploying MBAM 2.5 in a stand-alone configuration
description: Introducing how to deploy MBAM 2.5 in a stand-alone configuration.
-author: delhan
+author: Deland-Han
ms.reviewer: dcscontentpm
manager: dansimp
ms.author: delhan
ms.sitesec: library
ms.prod: w10
ms.date: 09/16/2019
+manager: dcscontentpm
---
# Deploying MBAM 2.5 in a standalone configuration
diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md
index d58974a50e..d8e8d0fc89 100644
--- a/mdop/mbam-v25/troubleshooting-mbam-installation.md
+++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md
@@ -1,13 +1,14 @@
---
title: Troubleshooting MBAM 2.5 installation problems
description: Introducing how to troubleshoot MBAM 2.5 installation problems.
-author: delhan
+author: Deland-Han
ms.reviewer: dcscontentpm
manager: dansimp
ms.author: delhan
ms.sitesec: library
ms.prod: w10
ms.date: 09/16/2019
+manager: dcscontentpm
---
# Troubleshooting MBAM 2.5 installation problems
@@ -386,7 +387,7 @@ Basic checks:
* If the communication between client and server is secure, make sure that you are using a valid SSL certificate.
-* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You can check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL Server connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
+* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You can check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL Server connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
#### Troubleshooting the connectivity issue
@@ -528,11 +529,11 @@ The web service may not connect to the database server because of a permissions
* These groups do not have the required permissions on the database.
-You will notice permissions-related errors in the Application logs on the MBAM administration and monitoring server if any of the previous conditions are true. In that case, you should manually add the NT Authority\Network Service account and MBAM administration server’s computer account and grant them a server-wide public role on the SQL database server that is using SQL Server Management Studio (http://msdn.microsoft.com/en-us/library/aa337562.aspx).
+You will notice permissions-related errors in the Application logs on the MBAM administration and monitoring server if any of the previous conditions are true. In that case, you should manually add the NT Authority\Network Service account and MBAM administration server’s computer account and grant them a server-wide public role on the SQL database server that is using SQL Server Management Studio (https://msdn.microsoft.com/library/aa337562.aspx).
#### Review the web service logs
-If no events are logged in the Application logs on the MBAM administration server, it’s time to review the web service logs (.svclog) of the MBAM web service that is hosted on the MBAM administration and monitoring server. You will have to use the Service Trace Viewer Tool (SvcTraceViewer.exe) http://msdn.microsoft.com/en-us/library/ms732023.aspx to view the log file.
+If no events are logged in the Application logs on the MBAM administration server, it’s time to review the web service logs (.svclog) of the MBAM web service that is hosted on the MBAM administration and monitoring server. You will have to use the Service Trace Viewer Tool (SvcTraceViewer.exe) https://msdn.microsoft.com/library/ms732023.aspx to view the log file.
You should primarily investigate the service trace logs of RecoveryandHardwareService and ComplianceStatusService. By default, web service logs are located in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder. There, each service writes its .svclog file under its own folder.
diff --git a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
index c9f0e46454..153757ee67 100644
--- a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
+++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
@@ -12,7 +12,7 @@ ms.localizationpriority: Normal
# Upgrade from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update
-This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the Microsoft Desktop Optimization Pack (MDOP) July 2018 servicing update in a standalone configuration.
+This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the [Microsoft Desktop Optimization Pack (MDOP) May 2019 servicing update](https://support.microsoft.com/help/4505175/may-2019-servicing-release-for-microsoft-desktop-optimization-pack) in a standalone configuration.
In this guide, we will use a two-server configuration. One server will be a database server that's running Microsoft SQL Server 2016. This server will host the MBAM databases and reports. The other server will be a Windows Server 2012 R2 web server. This server will host "Administration and Monitoring" and "Self-Service Portal."
diff --git a/smb/docfx.json b/smb/docfx.json
index 1c1ce5a53a..a5644a3f2b 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -47,7 +47,8 @@
"jborsecnik",
"tiburd",
"garycentric"
- ]
+ ],
+ "titleSuffix": "Windows for Small to Midsize Business"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index 2ae0e03c13..fdb6834a7a 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Application management in Windows 10 (Windows 10)
-description: This topic lists changes to documentation for configuring Windows 10.
+description: View changes to documentation for application management in Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 6f3c2b6c50..09bd474c3e 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -42,7 +42,8 @@
"depot_name": "MSDN.win-app-management",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Windows Application Management"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index 05d41bdfa9..cb93e0fb3b 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -4,6 +4,7 @@
## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [New policies for Windows 10](new-policies-for-windows-10.md)
+## [Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md)
## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
## [What version of Windows am I running](windows-version-search.md)
@@ -30,5 +31,6 @@
#### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md)
#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
+#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index a9442e6fe9..5986263a1e 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -220,7 +220,6 @@ If Windows cannot load the system registry hive into memory, you must restore th
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
-
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
@@ -228,8 +227,9 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
- For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+ For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
+ - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+ - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
new file mode 100644
index 0000000000..5de58be176
--- /dev/null
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -0,0 +1,50 @@
+---
+title: Windows 10 default media removal policy
+description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
+ms.prod: w10
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 12/13/2019
+ms.prod: w10
+ms.topic: article
+ms.custom:
+- CI 111493
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+manager: kaushika
+---
+
+# Change in default removal policy for external storage media in Windows 10, version 1809
+
+Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**.
+
+In earlier versions of Windows, the default policy was **Better performance**.
+
+You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port.
+
+## More information
+
+You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
+
+* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
+* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
+ > [!IMPORTANT]
+ > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
+
+ > [!NOTE]
+ > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
+
+To change the policy for an external storage device:
+
+1. Connect the device to the computer.
+2. Right-click **Start**, then select **File Explorer**.
+3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
+4. Right-click **Start**, then select **Disk Management**.
+5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
+
+ 
+
+6. Select **Policies**, and then select the policy you want to use.
+
+ 
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index 4f2cab1d56..8265dd9abc 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -1,6 +1,6 @@
---
title: Change history for Client management (Windows 10)
-description: This topic lists changes to documentation for configuring Windows 10.
+description: View changes to documentation for client management in Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
@@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 12/06/2018
+ms.date: 12/27/2019
ms.reviewer:
manager: dansimp
ms.topic: article
@@ -19,6 +19,13 @@ ms.topic: article
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## December 2019
+
+New or changed topic | Description
+--- | ---
+[Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
+[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
+
## December 2018
New or changed topic | Description
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index d687294412..ffd1c9d266 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -44,7 +44,8 @@
"depot_name": "MSDN.win-client-management",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Windows Client Management"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/images/change-def-rem-policy-1.png b/windows/client-management/images/change-def-rem-policy-1.png
new file mode 100644
index 0000000000..4d99854104
Binary files /dev/null and b/windows/client-management/images/change-def-rem-policy-1.png differ
diff --git a/windows/client-management/images/change-def-rem-policy-2.png b/windows/client-management/images/change-def-rem-policy-2.png
new file mode 100644
index 0000000000..d05d5dd16f
Binary files /dev/null and b/windows/client-management/images/change-def-rem-policy-2.png differ
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index ff70171304..3838366e1a 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -23,6 +23,7 @@ Learn about the administrative tools, tasks and best practices for managing Wind
|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
+|[Windows 10 default media removal policy](change-default-removal-policy-external-storage-media.md) |In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal." |
|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 662ae5f90e..cee81bcd72 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -8,7 +8,7 @@ author: Deland-Han
ms.localizationpriority: medium
ms.author: delhan
ms.reviewer: greglin
-manager: willchen
+manager: dcscontentpm
---
# Introduction to page files
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index b2e9438fba..9d7b5546ff 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -31,6 +31,7 @@ When the server that stores the mandatory profile is unavailable, such as when t
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
+
## Profile extension for each Windows version
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index f14ec54b3b..04edf1f24d 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: AccountManagement CSP
-description: Used to configure settings in the Account Manager service
+description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index 6f6df91fe0..35fd257acb 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -1,6 +1,6 @@
---
title: AccountManagement DDF file
-description: Used to configure settings in the Account Manager service
+description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index a0cc7de5dd..d6d6a9fc16 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -1,6 +1,6 @@
---
title: Accounts CSP
-description: The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group.
+description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index 0815b489ba..c4a1538d53 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Accounts DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the Accounts configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index 60449c917c..f6d3ef7a2f 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -1,6 +1,6 @@
---
title: ApplicationControl CSP DDF
-description: This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index dbbecb3b74..5a4fd15cf0 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,6 +1,6 @@
---
title: ApplicationControl CSP
-description: ApplicationControl CSP
+description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index d17799b5a8..c5b559cf50 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -36,8 +36,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
-
-
+> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
## What you need
@@ -169,4 +168,3 @@ Here are links to step-by-step provisioning topics in Technet.
-
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index ae68a73283..9a2630fdb4 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -1,6 +1,6 @@
---
title: CertificateStore DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML.
ms.assetid: D9A12D4E-3122-45C3-AD12-CC4FFAEC08B8
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md
index 5b7d432911..c70da05dae 100644
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@@ -1,6 +1,6 @@
---
title: CleanPC CSP
-description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
+description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 13a78b2032..eb09896b90 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -1,6 +1,6 @@
---
title: Mobile device management MDM for device updates
-description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology.
+description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777
ms.reviewer:
manager: dansimp
@@ -90,7 +90,7 @@ The response of the GetUpdateData call returns an array of ServerSyncUpdateData
- **Language** – The language code identifier (LCID). For example, en or es.
- **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
-- **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, .
+- **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, .
## Recommended Flow for Using the Server-Server Sync Protocol
@@ -635,7 +635,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
> [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
+> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Enterprise.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 724027f5f0..3bf0368ffd 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
-description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
+description: The DeviceManageability configuration service provider (CSP) is used retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 2191e66e9c..06e4d21323 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceStatus CSP
-description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
+description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 5c2dcefdc4..db52ac149a 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Diagnose MDM failures in Windows 10
-description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs.
+description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9
ms.reviewer:
manager: dansimp
@@ -118,7 +118,7 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi
**To collect logs manually**
-1. Download and install the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
+1. Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
2. Open the Field Medic app and then click on **Advanced**.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 7946edba39..4767766c8c 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,6 +1,6 @@
---
title: DMClient CSP
-description: The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
+description: Understand how the DMClient configuration service provider works. It is used to specify enterprise-specific mobile device management configuration settings.
ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 03e82dc9e8..f687502610 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -1,6 +1,6 @@
---
title: EAP configuration
-description: The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
+description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10.
ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index 84b5bb69b0..e70eed0ce5 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -1,6 +1,6 @@
---
title: EnrollmentStatusTracking DDF
-description: This topic shows the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 5fba2bac07..6faa0a9b38 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -1,6 +1,6 @@
---
title: EnrollmentStatusTracking CSP
-description: During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed.
+description: Learn how to perform a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 3e69ceaa92..70759a6c03 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseDataProtection CSP
-description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings.
+description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.reviewer:
manager: dansimp
@@ -249,7 +249,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
-- 1 (dafault) - Revoke keys
+- 1 (default) - Revoke keys
Supported operations are Add, Get, Replace and Delete. Value type is integer.
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 97c5865d7e..f52b397125 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -1,6 +1,6 @@
---
title: EnterpriseDesktopAppManagement CSP
-description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
+description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index bc80bbff44..481d57ea45 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -1,6 +1,6 @@
---
title: Provide server-side support for mobile app management on Windows
-description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP).
+description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 01ee6820fc..44d416b67a 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -1,6 +1,6 @@
---
title: Mobile device management
-description: Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices.
+description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
@@ -10,7 +10,6 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
-ms.date: 01/25/2019
---
# Mobile device management
@@ -42,14 +41,16 @@ The MDM security baseline includes policies that cover the following areas:
- And much more
For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see:
+
+- [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
-
+
## Learn about migrating to MDM
When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy settings in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md
index 24cf91748a..2e34159750 100644
--- a/windows/client-management/mdm/multisim-ddf.md
+++ b/windows/client-management/mdm/multisim-ddf.md
@@ -1,6 +1,6 @@
---
title: MultiSIM DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the MultiSIM configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 7ee6042e75..7535a3ce20 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,6 +1,6 @@
---
title: NetworkQoSPolicy DDF
-description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML
ms.assetid:
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 15f103ba47..77441ceba1 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1,6 +1,6 @@
---
title: What's new in MDM enrollment and management
-description: This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
+description: Discover what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
MS-HAID:
- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index f8dfc0e3c3..fbb49aae1f 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -206,7 +206,7 @@ This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
**Biometrics** (only for ./Device/Vendor/MSFT)
Node for defining biometric settings. This node was added in Windows 10, version 1511.
-*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
+*Not supported on Windows Holographic and Windows Holographic for Business.*
**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
@@ -217,7 +217,7 @@ Default value is true, enabling the biometric gestures for use with Windows Hell
Supported operations are Add, Get, Delete, and Replace.
-*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 7eaea8a237..f5b345d7d6 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,6 +1,6 @@
---
title: PassportForWork DDF
-description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index fce0c40f17..7c7efc8c73 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -99,14 +99,5 @@ ADMX Info:
-Footnotes:
-
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-- 3 - Added in Windows 10, version 1709.
-- 4 - Added in Windows 10, version 1803.
-- 5 - Added in Windows 10, version 1809.
-- 6 - Added in Windows 10, version 1903.
-
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 0a4dde8690..0968a81bc8 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - DeviceHealthMonitoring
-description: Policy CSP - TimeLanguageSettings
+description: Learn which DeviceHealthMonitoring policies are supported for your edition of Windows.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 2f1d95383c..ffc5c62bec 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -1,6 +1,6 @@
---
title: Policy CSP - TimeLanguageSettings
-description: Policy CSP - TimeLanguageSettings
+description: Learn which TimeLanguageSettings policies are supported for your edition of Windows.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index d096ead06d..9d98a92f10 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4248,7 +4248,7 @@ ADMX Info:
> [!IMPORTANT]
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
+> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
index 0f8b376074..30c3b3aa9f 100644
--- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
@@ -1,6 +1,6 @@
---
title: Register your free Azure Active Directory subscription
-description: If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD.
+description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD.
ms.assetid: 97DCD303-BB11-4AFF-84FE-B7F14CDF64F7
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md
index 41ad075f64..5b16192077 100644
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@@ -1,6 +1,6 @@
---
title: Reporting DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607.
+description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider.
ms.assetid: 7A5B79DB-9571-4F7C-ABED-D79CD08C1E35
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index f294bbb8a3..383470060b 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -1,6 +1,6 @@
---
title: SecureAssessment DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML.
+description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML
ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index 041b690a01..ad901702a5 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -1,6 +1,6 @@
---
title: TenantLockdown DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the TenantLockdown configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index f9ff52da32..ae0b5e11c1 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -1,6 +1,6 @@
---
title: UnifiedWriteFilter CSP
-description: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
+description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media.
ms.assetid: F4716AC6-0AA5-4A67-AECE-E0F200BA95EB
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
index e86a9edcc0..ce4b0b3bf3 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@@ -1,6 +1,6 @@
---
title: Win32CompatibilityAppraiser DDF file
-description: XML file containing the device description framework
+description: XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index 75f0d91a1b..a8be6bba9c 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -1,6 +1,6 @@
---
title: Enterprise settings, policies, and app management
-description: The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax.
+description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
MS-HAID:
- 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management'
- 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings'
diff --git a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md
index a42d7ec535..c4710fae63 100644
--- a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md
+++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md
@@ -1,6 +1,6 @@
---
title: WindowsSecurityAuditing DDF file
-description: This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511.
+description: View the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider.
ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index c5727c4674..92f6496c2d 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -1,6 +1,6 @@
---
title: WiredNetwork CSP
-description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet.
+description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP. Learn how it works.
ms.author: dansimp
ms.topic: article
ms.prod: w10
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index da9546ba23..da5cc3e5c8 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -23,7 +23,7 @@ ms.topic: reference
- Windows 10
- Windows 10 Mobile
-Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/details.aspx?id=56121).
+Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
## New Group Policy settings in Windows 10, version 1809
@@ -497,4 +497,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
-
diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md
new file mode 100644
index 0000000000..b774919abf
--- /dev/null
+++ b/windows/client-management/troubleshoot-event-id-41-restart.md
@@ -0,0 +1,121 @@
+---
+title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first"
+description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 12/27/2019
+ms.prod: w10
+ms.topic: article
+ms.custom:
+- CI 111437
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: medium
+keywords: event id 41, reboot, restart, stop error, bug check code
+manager: kaushika
+
+---
+
+# Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first"
+
+> **Home users**
+> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors).
+
+The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. When you use this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaved data to disk and flush any active caches.
+
+If your computer shuts down unexpectedly, Windows logs Event ID 41 the next time that the computer starts. The event text resembles the following:
+
+> Event ID: 41
+> Description: The system has rebooted without cleanly shutting down first.
+
+This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown might be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41.
+
+> EventData
+> BugcheckCode 159
+> BugcheckParameter1 0x3
+> BugcheckParameter2 0xfffffa80029c5060
+> BugcheckParameter3 0xfffff8000403d518
+> BugcheckParameter4 0xfffffa800208c010
+> SleepInProgress false
+> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010)
+
+## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart
+
+By itself, Event ID 41 might not contain sufficient information to explicitly define what occurred. Typically, you have to also consider what was occurring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances:
+
+- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code
+- [Scenario 2](#scen2): The computer restarts because you pressed and held the power button
+- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not logged or the Event ID 41 entry lists error code values of zero
+
+### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code
+
+When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example:
+
+> EventData
+> BugcheckCode 159
+> BugcheckParameter1 0x3
+> BugcheckParameter2 0xfffffa80029c5060
+> BugcheckParameter3 0xfffff8000403d518
+> BugcheckParameter4 0xfffffa800208c010
+
+> [!NOTE]
+> Event ID 41 includes the bug check code in decimal format. Most documentation that describes bug check codes refers to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps:
+>
+> 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**.
+> 1. In the **Calculator** window, select **View** > **Programmer**.
+> 1. On the left side of calculator, verify that **Dec** is highlighted.
+> 1. Use the keyboard to enter the decimal value of the bug check code.
+> 1. On the left side of the calculator, select **Hex**.
+> The value that the calculator displays is now the hexadecimal code.
+>
+> When you convert a bug check code to hexadecimal format, verify that the “0x” designation is followed by eight digits (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f.
+
+After you identify the hexadecimal value, use the following references to continue troubleshooting:
+
+- [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md).
+- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes.
+- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/).
+
+### Scenario 2: The computer restarts because you pressed and held the power button
+
+Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the computer logs an Event ID 41 that includes a non-zero value for the **PowerButtonTimestamp** entry.
+
+For help when troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen."
+
+### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero
+
+This scenario includes the following circumstances:
+
+- You shut off power to an unresponsive computer, and then you restart the computer.
+ To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also known as a *hard hang*).
+- The computer restarts, but it does not generate Event ID 41.
+- The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero.
+
+In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error.
+
+The information in Event ID 41 provides some indication of where to start checking for problems:
+
+- **Event ID 41 is not recorded or the bug check code is zero**. This behavior might indicate a power supply problem. If the power to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41. Or, if it does, the bug check code is zero. Conditions such as the following might be the cause:
+ - In the case of a portable computer, the battery was removed or completely drained.
+ - In the case of a desktop computer, the computer was unplugged or experienced a power outage.
+ - The power supply is underpowered or faulty.
+
+- **The PowerButtonTimestamp value is zero**. This behavior might occur if you disconnected the power to a computer that was not responding to input. Conditions such as the following might be the cause:
+ - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds.
+ - You disconnected the power to an unresponsive computer.
+
+Typically, the symptoms described in this scenario indicate a hardware problem. To help isolate the problem, do the following:
+
+- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify that the issue occurs when the system runs at the correct speed.
+- **Check the memory**. Use a memory checker to determine the memory health and configuration. Verify that all memory chips run at the same speed and that every chip is configured correctly in the system.
+- **Check the power supply**. Verify that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because the power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply.
+- **Check for overheating**. Examine the internal temperature of the hardware and check for any overheating components.
+
+If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs.
+
+> [!NOTE]
+> If you see a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps:
+>
+> 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**.
+> 1. In the **Startup and Recovery** section, select **Settings**.
+> 1. Clear the **Automatically restart** check box.
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index e1100ede91..700b2a16cc 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -2,7 +2,7 @@
title: Change history for Configure Windows 10 (Windows 10)
ms.reviewer:
manager: dansimp
-description: This topic lists changes to documentation for configuring Windows 10.
+description: View changes to documentation for configuring Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
@@ -119,7 +119,7 @@ The following topics were moved into the [Privacy](/windows/privacy/index) libra
New or changed topic | Description
--- | ---
-[Configure Windows diagnostic data in your organizationspro](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) | Updated endpoints.
+[Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) | Updated endpoints.
[Configure cellular settings for tablets and PCs](provisioning-apn.md) | Added instructions for confirming that the settings were applied.
## March 2018
@@ -233,4 +233,4 @@ The topics in this library have been updated for Windows 10, version 1703 (also
- [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
\ No newline at end of file
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 095fa77861..250b7d99b0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -1,6 +1,6 @@
---
title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10)
-description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
+description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index 351942547a..3ec17f6e6c 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -1,6 +1,6 @@
---
title: Set up and test Cortana with Office 365 in your organization (Windows 10)
-description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late.
+description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index cca8151178..fb9e1c7935 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -2,7 +2,7 @@
title: Cortana integration in your business or enterprise (Windows 10)
ms.reviewer:
manager: dansimp
-description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 4986e61b5d..ea2a557e39 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -42,7 +42,8 @@
"depot_name": "MSDN.win-configuration",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Configure Windows"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 876859b5a0..3f608dd8ee 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,6 +1,6 @@
---
title: Create a provisioning package (Windows 10)
-description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+description: Learn how to create a provisioning package for Windows 10. Provisioning packages let you quickly configure a device without having to install a new image.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index e902d0cfe2..7741d3ba98 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -58,7 +58,7 @@ This procedure explains how to configure digital signage using Kiosk Browser on
- Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
- Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
- For **App type**, select **Universal Windows App**.
- - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`.
+ - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`.
11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu.
- In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 15ac23506b..0f0d1cd783 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -1,6 +1,6 @@
---
title: Configure access to Microsoft Store (Windows 10)
-description: IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
+description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
ms.reviewer:
manager: dansimp
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index c4c52097cc..cd4f1c3e5b 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -1,252 +1,248 @@
----
-title: Deploy Windows 10 Enterprise licenses
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
-keywords: upgrade, update, task sequence, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10 Enterprise licenses
-
-This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
-
->[!NOTE]
->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
-
-## Firmware-embedded activation key
-
-To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
-
-```
-(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
-```
-
-If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
-
-## Enabling Subscription Activation with an existing EA
-
-If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
-
-1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
-2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
-3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
-4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
-5. The admin can now assign subscription licenses to users.
-
->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
-
-1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-2. Click on **Subscriptions**.
-3. Click on **Online Services Agreement List**.
-4. Enter your agreement number, and then click **Search**.
-5. Click the **Service Name**.
-6. In the **Subscription Contact** section, click the name listed under **Last Name**.
-7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
-
-Also in this article:
-- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
-- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
-
-## Active Directory synchronization with Azure AD
-
-You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
-
-You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-
-
-**Figure 1. On-premises AD DS integrated with Azure AD**
-
-For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
-
-- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
-- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
->[!NOTE]
->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
-
-## Preparing for deployment: reviewing requirements
-
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
-
-## Assigning licenses to users
-
-Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
-
-
-
-The following methods are available to assign licenses:
-
-1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
-2. You can sign in to portal.office.com and manually assign licenses:
-
- 
-
-3. You can assign licenses by uploading a spreadsheet.
-4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
-5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
-
-## Explore the upgrade experience
-
-Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
-
-### Step 1: Join Windows 10 Pro devices to Azure AD
-
-Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
-
-**To join a device to Azure AD the first time the device is started**
-
-1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
-
-
-
- **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
-
-
-
- **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
-
-
-
- **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
-
->[!IMPORTANT]
->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
-
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
-
-
-
- **Figure 5. Connect to work or school configuration in Settings**
-
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
-
-
-
- **Figure 6. Set up a work or school account**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
-
-
-
- **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-### Step 2: Pro edition activation
-
->[!IMPORTANT]
->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-
-
-
-Figure 7a - Windows 10 Pro activation in Settings
-
-Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
-
-
-### Step 3: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
-
-
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 4: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
-
-
-
-**Figure 9 - Windows 10 Enterprise subscription in Settings**
-
-
-If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
->[!NOTE]
->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
->Name: Windows(R), Professional edition
->Description: Windows(R) Operating System, RETAIL channel
->Partial Product Key: 3V66T
-
-## Virtual Desktop Access (VDA)
-
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
-
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
-
-- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
-
-- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
-
-- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
-
-- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
-
-- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
-
-
-
-
-Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings
-
-
-
-
-Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings
-
-
-
-
-Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings
-
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure Active Directory joined:**
-
-1. Open a command prompt and type **dsregcmd /status**.
-
-2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
-
-**To determine the version of Windows 10:**
-
-- At a command prompt, type:
- **winver**
-
- A popup window will display the Windows 10 version number and detailed OS build information.
-
- If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+---
+title: Deploy Windows 10 Enterprise licenses
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+ms.author: greglin
+description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 Enterprise licenses
+
+This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+
+>[!NOTE]
+>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
+>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
+
+## Firmware-embedded activation key
+
+To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
+
+```
+(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
+```
+
+If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
+
+## Enabling Subscription Activation with an existing EA
+
+If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
+
+1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
+2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
+3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
+4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
+5. The admin can now assign subscription licenses to users.
+
+>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
+
+1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+2. Click on **Subscriptions**.
+3. Click on **Online Services Agreement List**.
+4. Enter your agreement number, and then click **Search**.
+5. Click the **Service Name**.
+6. In the **Subscription Contact** section, click the name listed under **Last Name**.
+7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
+
+Also in this article:
+- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
+- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
+
+## Active Directory synchronization with Azure AD
+
+You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
+
+You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+
+
+
+**Figure 1. On-premises AD DS integrated with Azure AD**
+
+For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+
+- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
+- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
+
+>[!NOTE]
+>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
+
+## Preparing for deployment: reviewing requirements
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+
+## Assigning licenses to users
+
+Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+
+
+
+The following methods are available to assign licenses:
+
+1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+2. You can sign in to portal.office.com and manually assign licenses:
+
+ 
+
+3. You can assign licenses by uploading a spreadsheet.
+4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
+5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
+
+## Explore the upgrade experience
+
+Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
+
+### Step 1: Join Windows 10 Pro devices to Azure AD
+
+Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+
+**To join a device to Azure AD the first time the device is started**
+
+1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+
+
+
+ **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
+
+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+
+
+
+ **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+
+
+
+ **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
+
+>[!IMPORTANT]
+>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
+
+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+
+
+
+ **Figure 5. Connect to work or school configuration in Settings**
+
+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+
+
+
+ **Figure 6. Set up a work or school account**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+
+
+
+ **Figure 7. The “Let’s get you signed in” dialog box**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+### Step 2: Pro edition activation
+
+>[!IMPORTANT]
+>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
+>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
+
+
+
+ Figure 7a - Windows 10 Pro activation in Settings
+
+Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
+
+
+### Step 3: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+
+
+
+**Figure 8. Sign in by using Azure AD account**
+
+### Step 4: Verify that Enterprise edition is enabled
+
+You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
+
+
+
+
+**Figure 9 - Windows 10 Enterprise subscription in Settings**
+
+
+If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+
+>[!NOTE]
+>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
+>Name: Windows(R), Professional edition
+>Description: Windows(R) Operating System, RETAIL channel
+>Partial Product Key: 3V66T
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
+
+## Troubleshoot the user experience
+
+In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+
+- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
+
+- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+
+Use the following figures to help you troubleshoot when users experience these common problems:
+
+- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
+
+- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
+
+
+
+ Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings
+
+- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
+
+
+
+ Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings
+
+- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
+
+
+
+ Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings
+
+### Review requirements on devices
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+
+**To determine if a device is Azure Active Directory joined:**
+
+1. Open a command prompt and type **dsregcmd /status**.
+2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
+
+**To determine the version of Windows 10:**
+
+At a command prompt, type: **winver**
+
+A popup window will display the Windows 10 version number and detailed OS build information.
+
+If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index 3f8f818281..8741709766 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -1,6 +1,6 @@
---
title: Configure MDT deployment share rules (Windows 10)
-description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine.
+description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine.
ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
ms.reviewer:
manager: laurawi
@@ -27,7 +27,7 @@ When using MDT, you can assign setting in three distinct ways:
- You can prompt the user or technician for information.
- You can have MDT generate the settings automatically.
-In order illustrate these three options, let's look at some sample configurations.
+In order to illustrate these three options, let's look at some sample configurations.
## Sample configurations
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 4f3771b9d5..2b89867e2e 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -1,50 +1,51 @@
----
-title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
-ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: customize, customization, deploy, features, tools
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Configure MDT settings
-
-One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-- [Use web services in MDT](use-web-services-in-mdt.md)
-- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
-
-## Related topics
-
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+---
+title: Configure MDT settings (Windows 10)
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment.
+ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: customize, customization, deploy, features, tools
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Configure MDT settings
+
+One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+
+
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+
+## Related topics
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 692b7306a7..9076a17339 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -1,6 +1,6 @@
---
title: Create a task sequence with Configuration Manager (Windows 10)
-description: In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+description: Create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
index 6ebe0fe528..54b6e72815 100644
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
@@ -1,6 +1,6 @@
---
title: Integrate Configuration Manager with MDT (Windows 10)
-description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
+description: Understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy Windows.
ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 2e1b06b5f4..aa2e3ff40e 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -1,6 +1,6 @@
---
title: Prepare for deployment with MDT (Windows 10)
-description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index dee4dd39d2..f02158277d 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -1,6 +1,6 @@
---
title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
-description: A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer.
+description: Learn how to replace a Windows 7 device with a Windows 10 device. Although the process is similar to performing a refresh, you'll need to backup data externally
ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 234a716425..e7cabd8fec 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -1,177 +1,178 @@
----
-title: Use Orchestrator runbooks with MDT (Windows 10)
-description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: web services, database
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Use Orchestrator runbooks with MDT
-
-This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
-MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
-
-**Note**
-If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
-
-## Orchestrator terminology
-
-Before diving into the core details, here is a quick course in Orchestrator terminology:
-- **Orchestrator Server.** This is a server that executes runbooks.
-- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
-- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
-- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
-- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
-- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
-- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
-
-**Note**
-To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
-
-## Create a sample runbook
-
-This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
-
-1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
-2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
- **Note**
- Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
-
- 
-
- Figure 23. The DeployLog.txt file.
-
-3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
-
- 
-
- Figure 24. Folder created in the Runbooks node.
-
-4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
-5. On the ribbon bar, click **Check Out**.
-6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
-7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
- 1. Runbook Control / Initialize Data
- 2. Text File Management / Append Line
-8. Connect **Initialize Data** to **Append Line**.
-
- 
-
- Figure 25. Activities added and connected.
-
-9. Right-click the **Initialize Data** activity, and select **Properties**
-10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
-
- 
-
- Figure 26. The Initialize Data Properties window.
-
-11. Right-click the **Append Line** activity, and select **Properties**.
-12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
-13. In the **File** encoding drop-down list, select **ASCII**.
-14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
-
- 
-
- Figure 27. Expanding the Text area.
-
-15. In the blank text box, right-click and select **Subscribe / Published Data**.
-
- 
-
- Figure 28. Subscribing to data.
-
-16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
-17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
-18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
-
- 
-
- Figure 29. The expanded text box after all subscriptions have been added.
-
-19. On the **Append Line Properties** page, click **Finish**.
- ## Test the demo MDT runbook
- After the runbook is created, you are ready to test it.
-20. On the ribbon bar, click **Runbook Tester**.
-21. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
- - OSDComputerName: PC0010
-22. Verify that all activities are green (for additional information, see each target).
-23. Close the **Runbook Tester**.
-24. On the ribbon bar, click **Check In**.
-
-
-
-Figure 30. All tests completed.
-
-## Use the MDT demo runbook from MDT
-
-1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
-2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: OR001
- 2. Task sequence name: Orchestrator Sample
- 3. Task sequence comments: <blank>
- 4. Template: Custom Task Sequence
-3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
-4. Remove the default **Application Install** action.
-5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
-6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
- 1. Name: Set Task Sequence Variable
- 2. Task Sequence Variable: OSDComputerName
- 3. Value: %hostname%
-7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
- 1. Orchestrator Server: OR01.contoso.com
- 2. Use Browse to select **1.0 MDT / MDT Sample**.
-8. Click **OK**.
-
-
-
-Figure 31. The ready-made task sequence.
-
-## Run the orchestrator sample task sequence
-
-Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
-**Note**
-Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
-
-1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2. Using an elevated command prompt (run as Administrator), type the following command:
-
- ``` syntax
- cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
- ```
-3. Complete the Windows Deployment Wizard using the following information:
- 1. Task Sequence: Orchestrator Sample
- 2. Credentials:
- 1. User Name: MDT\_BA
- 2. Password: P@ssw0rd
- 3. Domain: CONTOSO
-4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
-
-
-
-Figure 32. The ready-made task sequence.
-
-## Related topics
-
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
+---
+title: Use Orchestrator runbooks with MDT (Windows 10)
+description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: web services, database
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Use Orchestrator runbooks with MDT
+
+This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
+
+**Note**
+If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
+
+## Orchestrator terminology
+
+Before diving into the core details, here is a quick course in Orchestrator terminology:
+- **Orchestrator Server.** This is a server that executes runbooks.
+- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
+- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
+- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
+- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
+- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
+- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
+
+**Note**
+To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
+
+## Create a sample runbook
+
+This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
+
+1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
+2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
+ **Note**
+ Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
+
+ 
+
+ Figure 23. The DeployLog.txt file.
+
+3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
+
+ 
+
+ Figure 24. Folder created in the Runbooks node.
+
+4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
+5. On the ribbon bar, click **Check Out**.
+6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
+7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
+ 1. Runbook Control / Initialize Data
+ 2. Text File Management / Append Line
+8. Connect **Initialize Data** to **Append Line**.
+
+ 
+
+ Figure 25. Activities added and connected.
+
+9. Right-click the **Initialize Data** activity, and select **Properties**
+10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
+
+ 
+
+ Figure 26. The Initialize Data Properties window.
+
+11. Right-click the **Append Line** activity, and select **Properties**.
+12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
+13. In the **File** encoding drop-down list, select **ASCII**.
+14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
+
+ 
+
+ Figure 27. Expanding the Text area.
+
+15. In the blank text box, right-click and select **Subscribe / Published Data**.
+
+ 
+
+ Figure 28. Subscribing to data.
+
+16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
+17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
+18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
+
+ 
+
+ Figure 29. The expanded text box after all subscriptions have been added.
+
+19. On the **Append Line Properties** page, click **Finish**.
+ ## Test the demo MDT runbook
+ After the runbook is created, you are ready to test it.
+20. On the ribbon bar, click **Runbook Tester**.
+21. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
+ - OSDComputerName: PC0010
+22. Verify that all activities are green (for additional information, see each target).
+23. Close the **Runbook Tester**.
+24. On the ribbon bar, click **Check In**.
+
+
+
+Figure 30. All tests completed.
+
+## Use the MDT demo runbook from MDT
+
+1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
+2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ 1. Task sequence ID: OR001
+ 2. Task sequence name: Orchestrator Sample
+ 3. Task sequence comments: <blank>
+ 4. Template: Custom Task Sequence
+3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
+4. Remove the default **Application Install** action.
+5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
+6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
+ 1. Name: Set Task Sequence Variable
+ 2. Task Sequence Variable: OSDComputerName
+ 3. Value: %hostname%
+7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
+ 1. Orchestrator Server: OR01.contoso.com
+ 2. Use Browse to select **1.0 MDT / MDT Sample**.
+8. Click **OK**.
+
+
+
+Figure 31. The ready-made task sequence.
+
+## Run the orchestrator sample task sequence
+
+Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
+**Note**
+Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
+
+1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
+2. Using an elevated command prompt (run as Administrator), type the following command:
+
+ ``` syntax
+ cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
+ ```
+3. Complete the Windows Deployment Wizard using the following information:
+ 1. Task Sequence: Orchestrator Sample
+ 2. Credentials:
+ 1. User Name: MDT\_BA
+ 2. Password: P@ssw0rd
+ 3. Domain: CONTOSO
+4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
+
+
+
+Figure 32. The ready-made task sequence.
+
+## Related topics
+
+[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+
+[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+
+[Use web services in MDT](use-web-services-in-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 79b6610104..1ca54bbdb6 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -1,6 +1,6 @@
---
title: Use MDT database to stage Windows 10 deployment info (Windows 10)
-description: This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini).
+description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database.
ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 4f7de42969..2d1cffeadc 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -1,6 +1,6 @@
---
title: Use web services in MDT (Windows 10)
-description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
+description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index ddc3a8a1da..19e35e39b3 100644
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -1,110 +1,111 @@
----
-title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
-description: In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines.
-ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, task sequence
-ms.prod: w10
-ms.localizationpriority: medium
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
-
-For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Add drivers for Windows PE
-
-
-This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01.
-
-1. On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**.
-
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
-
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
-
-4. On the **Select the packages to add the imported driver** page, click **Next**.
-
-5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
-
-
-
-*Figure 21. Add drivers to Windows PE*
-
->[!NOTE]
->The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
-
-
-## Add drivers for Windows 10
-
-
-This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01.
-
-1. On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**.
-
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**.
-
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
-
- 
-
- *Figure 22. Create driver categories*
-
-4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
-
- * Name: Windows 10 x64 - HP EliteBook 8560w
-
- * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
-
- >[!NOTE]
- >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
-
-
-5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
-
- >[!NOTE]
- >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
-
- 
-
- *Figure 23. Drivers imported and a new driver package created*
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+---
+title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
+description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
+ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, task sequence
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+
+For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## Add drivers for Windows PE
+
+
+This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the E:\\Sources\\OSD\\DriverSources\\WinPE x64 folder on CM01.
+
+1. On CM01, using the Configuration Manager Console, in the Software Library workspace, right-click the **Drivers** node and select **Import Driver**.
+
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
+
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
+
+4. On the **Select the packages to add the imported driver** page, click **Next**.
+
+5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
+
+
+
+*Figure 21. Add drivers to Windows PE*
+
+>[!NOTE]
+>The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
+
+
+## Add drivers for Windows 10
+
+
+This section illustrates how to add drivers for Windows 10 through an example in which you want to import Windows 10 drivers for the HP EliteBook 8560w model. For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the E:\\Sources\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w folder on CM01.
+
+1. On CM01, using the Configuration Manager Console, right-click the **Drivers** folder and select **Import Driver**.
+
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, below the Import all drivers in the following network path (UNC) option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\HP EliteBook 8560w** folder and click **Next**.
+
+3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
+
+ 
+
+ *Figure 22. Create driver categories*
+
+4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
+
+ * Name: Windows 10 x64 - HP EliteBook 8560w
+
+ * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
+
+ >[!NOTE]
+ >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
+
+
+5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
+
+ >[!NOTE]
+ >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+
+ 
+
+ *Figure 23. Drivers imported and a new driver package created*
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 34a005a021..975eb2a944 100644
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,117 +1,118 @@
----
-title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
-ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: tool, customize, deploy, boot image
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Create a custom Windows PE boot image with Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
-
-For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-## Add DaRT 10 files and prepare to brand the boot image
-
-
-The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
-
-1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings.
-
-2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-
-3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
-
-4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
-
-5. Using File Explorer, navigate to the **C:\\Setup** folder.
-
-6. Copy the **Branding** folder to **E:\\Sources\\OSD**.
-
-## Create a boot image for Configuration Manager using the MDT wizard
-
-
-By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
-
-1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
-
-2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
-
- >[!NOTE]
- >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
-
-3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
-
-4. On the **Options** page, select the **x64** platform, and click **Next**.
-
-5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
-
- 
-
- Figure 15. Add the DaRT component to the Configuration Manager boot image.
-
-6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
-
- >[!NOTE]
- >It will take a few minutes to generate the boot image.
-
-7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
-
-8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-
-9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
-
- 
-
- Figure 16. Content status for the Zero Touch WinPE x64 boot image
-
-10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
-
-11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
-
-12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages.
-
-13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-
-
-
-
+---
+title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
+description: Microsoft System Center 2012 R2 Configuration Manager can create custom Windows Preinstallation Environment (Windows PE) boot images with extra features.
+ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: tool, customize, deploy, boot image
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Create a custom Windows PE boot image with Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
+
+For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+## Add DaRT 10 files and prepare to brand the boot image
+
+
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded Microsoft Desktop Optimization Pack (MDOP) 2015 and copied the x64 version of MSDaRT10.msi to the C:\\Setup\\DaRT 10 folder. We also assume you have created a custom background image and saved it in C:\\Setup\\Branding on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
+
+1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT10.msi) using the default settings.
+
+2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
+
+3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
+
+4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
+
+5. Using File Explorer, navigate to the **C:\\Setup** folder.
+
+6. Copy the **Branding** folder to **E:\\Sources\\OSD**.
+
+## Create a boot image for Configuration Manager using the MDT wizard
+
+
+By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
+
+1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
+
+2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
+
+ >[!NOTE]
+ >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+
+3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
+
+4. On the **Options** page, select the **x64** platform, and click **Next**.
+
+5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+
+ 
+
+ Figure 15. Add the DaRT component to the Configuration Manager boot image.
+
+6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ ContosoBackground.bmp**. Then click **Next** twice.
+
+ >[!NOTE]
+ >It will take a few minutes to generate the boot image.
+
+7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
+
+8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+
+9. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads STATMSG: ID=2301. You also can view Content Status in the Configuration Manager Console by selecting **the Zero Touch WinPE x86** boot image.
+
+ 
+
+ Figure 16. Content status for the Zero Touch WinPE x64 boot image
+
+10. Using the Configuration Manager Console, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
+
+11. In the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
+
+12. Using Configuration Manager Trace, review the E:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: Expanding PS10000B to E:\\RemoteInstall\\SMSImages.
+
+13. Review the **E:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS10000B) is from your new boot image with DaRT.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+
+
+
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index b695cf75f7..bad7159496 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Finalize operating system configuration for Windows 10 deployment
-description: This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
+description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index d5fce49214..e09b542e0e 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Monitor the Windows 10 deployment with Configuration Manager
-description: In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench.
+description: Learn how to monitor a Windows 10 deployment with Configuration Manager. Use the Deployment Workbench to access the computer remotely.
ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index d7435593a7..2951abbc45 100644
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
-description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
+description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 78e75ded51..f807d3f0e8 100644
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,147 +1,148 @@
----
-title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
-description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2.
-ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, install, installation, computer refresh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
-
-**Applies to**
-
-- Windows 10 versions 1507, 1511
-
->[!IMPORTANT]
->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
-
-This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
-
-A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
-
-1. Data and settings are backed up locally in a backup folder.
-
-2. The partition is wiped, except for the backup folder.
-
-3. The new operating system image is applied.
-
-4. Other applications are installed.
-
-5. Data and settings are restored.
-
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
-
-## Create a device collection and add the PC0003 computer
-
-
-1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
-
- * General
-
- * Name: Install Windows 10 Enterprise x64
-
- * Limited Collection: All Systems
-
- * Membership rules:
-
- * Direct rule
-
- * Resource Class: System Resource
-
- * Attribute Name: Name
-
- * Value: PC0003
-
- * Select **Resources**
-
- * Select **PC0003**
-
-2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
-
- >[!NOTE]
- >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
-
-
-
-## Create a new deployment
-
-
-Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings:
-
-- General
-
- - Collection: Install Windows 10 Enterprise x64
-
-- Deployment Settings
-
- - Purpose: Available
-
- - Make available to the following: Configuration Manager clients, media and PXE
-
- >[!NOTE]
- >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
-
-
-
-- Scheduling
-
- - <default>
-
-- User Experience
-
- - <default>
-
-- Alerts
-
- - <default>
-
-- Distribution Points
-
- - <default>
-
-## Initiate a computer refresh
-
-
-Now you can start the computer refresh on PC0003.
-
-1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
-
- >[!NOTE]
- >The Client Notification feature is new in Configuration Manager.
-
-2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
-
-3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**.
-
-## Related topics
-
-
-[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-
-[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+---
+title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
+ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, install, installation, computer refresh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+
+A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
+
+1. Data and settings are backed up locally in a backup folder.
+
+2. The partition is wiped, except for the backup folder.
+
+3. The new operating system image is applied.
+
+4. Other applications are installed.
+
+5. Data and settings are restored.
+
+For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
+
+## Create a device collection and add the PC0003 computer
+
+
+1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+
+ * General
+
+ * Name: Install Windows 10 Enterprise x64
+
+ * Limited Collection: All Systems
+
+ * Membership rules:
+
+ * Direct rule
+
+ * Resource Class: System Resource
+
+ * Attribute Name: Name
+
+ * Value: PC0003
+
+ * Select **Resources**
+
+ * Select **PC0003**
+
+2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
+
+ >[!NOTE]
+ >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+
+
+
+## Create a new deployment
+
+
+Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings:
+
+- General
+
+ - Collection: Install Windows 10 Enterprise x64
+
+- Deployment Settings
+
+ - Purpose: Available
+
+ - Make available to the following: Configuration Manager clients, media and PXE
+
+ >[!NOTE]
+ >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+
+
+
+- Scheduling
+
+ - <default>
+
+- User Experience
+
+ - <default>
+
+- Alerts
+
+ - <default>
+
+- Distribution Points
+
+ - <default>
+
+## Initiate a computer refresh
+
+
+Now you can start the computer refresh on PC0003.
+
+1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
+
+ >[!NOTE]
+ >The Client Notification feature is new in Configuration Manager.
+
+2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.
+
+3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**.
+
+## Related topics
+
+
+[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+
+[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+
+[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 90bcabb6d6..e9b3ec607d 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -4,13 +4,15 @@ description: Deploying Windows 10 for IT professionals.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.reviewer:
manager: laurawi
-ms.audience: itpro
author: greg-lindsay
+ms.audience: itpro
+author: greg-lindsay
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.date: 11/06/2018
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.topic: article
---
@@ -35,7 +37,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
## Related topics
-[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
+[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index b5e2f332bb..d90a888be9 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -47,7 +47,8 @@
"depot_name": "MSDN.win-development",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Windows Deployment"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/deployment/images/sa-mfa1.png b/windows/deployment/images/sa-mfa1.png
new file mode 100644
index 0000000000..045e5a7794
Binary files /dev/null and b/windows/deployment/images/sa-mfa1.png differ
diff --git a/windows/deployment/images/sa-mfa2.png b/windows/deployment/images/sa-mfa2.png
new file mode 100644
index 0000000000..1964a7b263
Binary files /dev/null and b/windows/deployment/images/sa-mfa2.png differ
diff --git a/windows/deployment/images/sa-mfa3.png b/windows/deployment/images/sa-mfa3.png
new file mode 100644
index 0000000000..8987eac97b
Binary files /dev/null and b/windows/deployment/images/sa-mfa3.png differ
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index b40be1932a..fe7585f713 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -1,48 +1,49 @@
----
-title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
-description: The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
-ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Application Compatibility Toolkit (ACT) Technical Reference
-
-
-**Applies to**
-- Windows 10, version 1607
-
->[!IMPORTANT]
->We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
-
-Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-
-With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
-
-Use Windows Analytics to get:
-- A visual workflow that guides you from pilot to production
-- Detailed computer and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues, with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including System Center Configuration Manager
-
-The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-
-At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues.
-
-## In this section
-
-|Topic |Description |
-|------|------------|
-|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
-|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
-|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
+---
+title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
+description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows.
+ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Application Compatibility Toolkit (ACT) Technical Reference
+
+
+**Applies to**
+- Windows 10, version 1607
+
+>[!IMPORTANT]
+>We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
+
+Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+
+With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Windows Analytics to get:
+- A visual workflow that guides you from pilot to production
+- Detailed computer and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues.
+
+## In this section
+
+|Topic |Description |
+|------|------------|
+|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
+|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
+|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
index 5222062842..5edd92497e 100644
--- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
+++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
@@ -1,100 +1,101 @@
----
-title: Applying Filters to Data in the SUA Tool (Windows 10)
-description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
-ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Applying Filters to Data in the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
-
-**To apply filters to data in the SUA tool**
-
-1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
-
-2. After you finish testing, in the SUA tool, click a tab that shows issues that the SUA tool has found. All tabs except the **App Info** tab can show issues.
-
-3. On the **Options** menu, click a command that corresponds to the filter that you want to apply. The following table describes the commands.
-
-
-
-
-
-
-
-
-
Options menu command
-
Description
-
-
-
-
-
Filter Noise
-
Filters noise from the issues.
-
This command is selected by default.
-
-
-
Load Noise Filter File
-
Opens the Open Noise Filter File dialog box, in which you can load an existing noise filter (.xml) file.
-
-
-
Export Noise Filter File
-
Opens the Save Noise Filter File dialog box, in which you can save filter settings as a noise filter (.xml) file.
-
-
-
Only Display Records with Application Name in StackTrace
-
Filters out records that do not have the application name in the stack trace.
-
However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.
-
-
-
Show More Details in StackTrace
-
Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.
-
-
-
Warn Before Deleting AppVerifier Logs
-
Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.
-
This command is selected by default.
-
-
-
Logging
-
Provides the following logging-related options:
-
-
Show or hide log errors.
-
Show or hide log warnings.
-
Show or hide log information.
-
-
To maintain a manageable file size, we recommend that you do not select the option to show informational messages.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Applying Filters to Data in the SUA Tool (Windows 10)
+description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application.
+ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Applying Filters to Data in the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
+
+**To apply filters to data in the SUA tool**
+
+1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
+
+2. After you finish testing, in the SUA tool, click a tab that shows issues that the SUA tool has found. All tabs except the **App Info** tab can show issues.
+
+3. On the **Options** menu, click a command that corresponds to the filter that you want to apply. The following table describes the commands.
+
+
+
+
+
+
+
+
+
Options menu command
+
Description
+
+
+
+
+
Filter Noise
+
Filters noise from the issues.
+
This command is selected by default.
+
+
+
Load Noise Filter File
+
Opens the Open Noise Filter File dialog box, in which you can load an existing noise filter (.xml) file.
+
+
+
Export Noise Filter File
+
Opens the Save Noise Filter File dialog box, in which you can save filter settings as a noise filter (.xml) file.
+
+
+
Only Display Records with Application Name in StackTrace
+
Filters out records that do not have the application name in the stack trace.
+
However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.
+
+
+
Show More Details in StackTrace
+
Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.
+
+
+
Warn Before Deleting AppVerifier Logs
+
Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.
+
This command is selected by default.
+
+
+
Logging
+
Provides the following logging-related options:
+
+
Show or hide log errors.
+
Show or hide log warnings.
+
Show or hide log information.
+
+
To maintain a manageable file size, we recommend that you do not select the option to show informational messages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index bc1991c752..aa63171e92 100644
--- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -1,6 +1,6 @@
---
title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10)
-description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
+description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10.
ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
index 8d8da0f126..c35e379797 100644
--- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -1,6 +1,6 @@
---
title: Create AppHelp Message in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
+description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system.
ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 454580a0c1..6f28178063 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -1,6 +1,6 @@
---
title: Plan for Windows 10 deployment (Windows 10)
-description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date.
+description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date.
ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15
keywords: deploy, upgrade, update, configure
ms.prod: w10
diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 47e9283fef..3aac6db8f1 100644
--- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -1,66 +1,67 @@
----
-title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
-description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
-ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Managing Application-Compatibility Fixes and Custom Fix Databases
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
-
-## In this section
-
-
-
As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.
After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:
This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
-
-
-
-
-
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+---
+title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
+description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
+ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Managing Application-Compatibility Fixes and Custom Fix Databases
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
+
+## In this section
+
+
+
As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.
After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:
This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
+
+
+
+
+
+
+## Related topics
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index 955117dcd6..f0e3ef4473 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -1,6 +1,6 @@
---
title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
-description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
+description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
index 7eeaf18a3f..905e495858 100644
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
@@ -1,86 +1,87 @@
----
-title: Security and data protection considerations for Windows To Go (Windows 10)
-description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
-ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: mobile, device, USB, secure, BitLocker
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: mobility, security
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Security and data protection considerations for Windows To Go
-
-
-**Applies to**
-
-- Windows 10
-
->[!IMPORTANT]
->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
-
-## Backup and restore
-
-
-As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement.
-
-If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
-
-## BitLocker
-
-
-We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
-
-You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
-
-**Tip**
-If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail)
-
-
-
-If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode.
-
-## Disk discovery and data leakage
-
-
-We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
-
-To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-
-For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103).
-
-## Security certifications for Windows To Go
-
-
-Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics.
-
-- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104)
-
-- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107)
-
-## Related topics
-
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
-
-
-
-
-
-
-
-
-
+---
+title: Security and data protection considerations for Windows To Go (Windows 10)
+description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure.
+ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: mobile, device, USB, secure, BitLocker
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: mobility, security
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Security and data protection considerations for Windows To Go
+
+
+**Applies to**
+
+- Windows 10
+
+>[!IMPORTANT]
+>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
+
+One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure.
+
+## Backup and restore
+
+
+As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement.
+
+If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
+
+## BitLocker
+
+
+We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
+
+You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
+
+**Tip**
+If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail)
+
+
+
+If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode.
+
+## Disk discovery and data leakage
+
+
+We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
+
+To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+
+For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103).
+
+## Security certifications for Windows To Go
+
+
+Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics.
+
+- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104)
+
+- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107)
+
+## Related topics
+
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index e0adb30d1a..56143ee843 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -1,69 +1,70 @@
----
-title: SUA User's Guide (Windows 10)
-description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
-ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# SUA User's Guide
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
-
-You can use SUA in either of the following ways:
-
-- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis.
-
-- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
-
-## In this section
-
-
-
The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-
-
-
-
-
-
-
-
-
-
-
+---
+title: SUA User's Guide (Windows 10)
+description: Standard User Analyzer (SUA) can test your apps and monitor API calls to detect compatibility issues related to Windows' User Account Control (UAC) feature.
+ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# SUA User's Guide
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
+
+You can use SUA in either of the following ways:
+
+- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis.
+
+- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
+
+## In this section
+
+
+
The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index 6782e5861f..c3c759c319 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -1,6 +1,6 @@
---
title: Testing Your Application Mitigation Packages (Windows 10)
-description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
+description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index eb092034f3..649a832f90 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -1,113 +1,114 @@
----
-title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
-description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied.
-ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Using the Sdbinst.exe Command-Line Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2016
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
-
-After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
-
-## Command-Line Options for Deploying Customized Database Files
-
-Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
-
-```
-Microsoft Windows [Version 10.0.14393]
-(c) 2016 Microsoft Corporation. All rights reserved.
-
-C:\Windows\system32>Sdbinst.exe /?
-Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
-
- -? - print this help text.
- -p - Allow SDBs containing patches.
- -q - Quiet mode: prompts are auto-accepted.
- -u - Uninstall.
- -g {guid} - GUID of file (uninstall only).
- -n "name" - Internal name of file (uninstall only).
-
-C:\Windows\system32>_
-```
-
-The command-line options use the following conventions:
-
-Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
-
-The following table describes the available command-line options.
-
-
-
-
-
-
-
-
-
Option
-
Description
-
-
-
-
-
-?
-
Displays the Help for the Sdbinst.exe tool.
-
For example,
-
sdbinst.exe -?
-
-
-
-p
-
Allows SDBs installation with Patches
-
For example,
-
sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb
-
-
-
-q
-
Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
-
For example,
-
sdbinst.exe -q
-
-
-
-u filepath
-
Performs an uninstallation of the specified database.
-
For example,
-
sdbinst.exe -u C:\example.sdb
-
-
-
-g GUID
-
Specifies the customized database to uninstall by a globally unique identifier (GUID).
Specifies the customized database to uninstall by file name.
-
For example,
-
sdbinst.exe -n "My_Database"
-
-
-
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+---
+title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
+description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command line options.
+ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Using the Sdbinst.exe Command-Line Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2016
+- Windows Server 2012
+- Windows Server 2008 R2
+
+You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
+
+After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
+
+## Command-Line Options for Deploying Customized Database Files
+
+Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
+
+```
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
+
+C:\Windows\system32>Sdbinst.exe /?
+Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
+
+ -? - print this help text.
+ -p - Allow SDBs containing patches.
+ -q - Quiet mode: prompts are auto-accepted.
+ -u - Uninstall.
+ -g {guid} - GUID of file (uninstall only).
+ -n "name" - Internal name of file (uninstall only).
+
+C:\Windows\system32>_
+```
+
+The command-line options use the following conventions:
+
+Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
+
+The following table describes the available command-line options.
+
+
+
+
+
+
+
+
+
Option
+
Description
+
+
+
+
+
-?
+
Displays the Help for the Sdbinst.exe tool.
+
For example,
+
sdbinst.exe -?
+
+
+
-p
+
Allows SDBs installation with Patches
+
For example,
+
sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb
+
+
+
-q
+
Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
+
For example,
+
sdbinst.exe -q
+
+
+
-u filepath
+
Performs an uninstallation of the specified database.
+
For example,
+
sdbinst.exe -u C:\example.sdb
+
+
+
-g GUID
+
Specifies the customized database to uninstall by a globally unique identifier (GUID).
Specifies the customized database to uninstall by file name.
+
For example,
+
sdbinst.exe -n "My_Database"
+
+
+
+
+## Related topics
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index 008d9e50a5..e1293703ac 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -1,92 +1,93 @@
----
-title: Using the SUA Tool (Windows 10)
-description: By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Using the SUA Tool
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-
-The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md).
-
-In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®.
-
-In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues.
-
-## Testing an Application by Using the SUA Tool
-
-
-Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
-
-The following flowchart shows the process of using the SUA tool.
-
-
-
-**To collect UAC-related issues by using the SUA tool**
-
-1. Close any open instance of the SUA tool or SUA Wizard on your computer.
-
- If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues.
-
-2. Run the Standard User Analyzer.
-
-3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it.
-
-4. Clear the **Elevate** check box, and then click **Launch**.
-
- If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
-
-5. Exercise the aspects of the application for which you want to gather information about UAC issues.
-
-6. Exit the application.
-
-7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md).
-
-**To review and apply the recommended mitigations**
-
-1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**.
-
-2. Review the recommended compatibility fixes.
-
-3. Click **Apply**.
-
- The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
-
-## Related topics
-[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
-
-[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
-
-[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
-
-[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
-
-
-
-
-
-
-
-
-
+---
+title: Using the SUA Tool (Windows 10)
+description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
+ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Using the SUA Tool
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
+
+The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md).
+
+In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®.
+
+In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues.
+
+## Testing an Application by Using the SUA Tool
+
+
+Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
+
+The following flowchart shows the process of using the SUA tool.
+
+
+
+**To collect UAC-related issues by using the SUA tool**
+
+1. Close any open instance of the SUA tool or SUA Wizard on your computer.
+
+ If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues.
+
+2. Run the Standard User Analyzer.
+
+3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it.
+
+4. Clear the **Elevate** check box, and then click **Launch**.
+
+ If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
+
+5. Exercise the aspects of the application for which you want to gather information about UAC issues.
+
+6. Exit the application.
+
+7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md).
+
+**To review and apply the recommended mitigations**
+
+1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**.
+
+2. Review the recommended compatibility fixes.
+
+3. Click **Apply**.
+
+ The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
+
+## Related topics
+[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
+
+[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
+
+[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
+
+[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index 4070f56802..786d9d2fcf 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -1,90 +1,91 @@
----
-title: Using the SUA Wizard (Windows 10)
-description: The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
-ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Using the SUA Wizard
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
-
-For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
-
-## Testing an Application by Using the SUA Wizard
-
-
-You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard.
-
-The following flowchart shows the process of using the SUA Wizard.
-
-
-
-**To test an application by using the SUA Wizard**
-
-1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account.
-
-2. Run the Standard User Analyzer Wizard.
-
-3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
-
-4. Click **Launch**.
-
- If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application.
-
- If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
-
-5. In the application, exercise the functionality that you want to test.
-
-6. After you finish testing, exit the application.
-
- The SUA Wizard displays a message that asks whether the application ran without any issues.
-
-7. Click **No**.
-
- The SUA Wizard shows a list of potential remedies that you might use to fix the application.
-
-8. Select the fixes that you want to apply, and then click **Launch**.
-
- The application appears again, with the fixes applied.
-
-9. Test the application again, and after you finish testing, exit the application.
-
- The SUA Wizard displays a message that asks whether the application ran without any issues.
-
-10. If the application ran correctly, click **Yes**.
-
- The SUA Wizard closes the issue as resolved on the local computer.
-
- If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md).
-
-## Related topics
-[SUA User's Guide](sua-users-guide.md)
-
-
-
-
-
-
-
-
-
+---
+title: Using the SUA Wizard (Windows 10)
+description: The Standard User Analyzer (SUA) Wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
+ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Using the SUA Wizard
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
+
+For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
+
+## Testing an Application by Using the SUA Wizard
+
+
+You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard.
+
+The following flowchart shows the process of using the SUA Wizard.
+
+
+
+**To test an application by using the SUA Wizard**
+
+1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account.
+
+2. Run the Standard User Analyzer Wizard.
+
+3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
+
+4. Click **Launch**.
+
+ If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application.
+
+ If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
+
+5. In the application, exercise the functionality that you want to test.
+
+6. After you finish testing, exit the application.
+
+ The SUA Wizard displays a message that asks whether the application ran without any issues.
+
+7. Click **No**.
+
+ The SUA Wizard shows a list of potential remedies that you might use to fix the application.
+
+8. Select the fixes that you want to apply, and then click **Launch**.
+
+ The application appears again, with the fixes applied.
+
+9. Test the application again, and after you finish testing, exit the application.
+
+ The SUA Wizard displays a message that asks whether the application ran without any issues.
+
+10. If the application ran correctly, click **Yes**.
+
+ The SUA Wizard closes the issue as resolved on the local computer.
+
+ If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md).
+
+## Related topics
+[SUA User's Guide](sua-users-guide.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index 579f4b8bfa..67a11cd90f 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -1,6 +1,6 @@
---
title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
-description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
+description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 03fd161f35..afbf7e0553 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -1,6 +1,6 @@
---
title: Windows 10 infrastructure requirements (Windows 10)
-description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
+description: Review the specific infrastructure requirements to deploy and manage Windows 10, prior to significant Windows 10 deployments within your organization.
ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index 57d74a1341..d162aa111d 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -1,6 +1,6 @@
---
title: Windows To Go feature overview (Windows 10)
-description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
+description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive.
ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42
ms.reviewer:
manager: laurawi
@@ -92,9 +92,9 @@ As of the date of publication, the following are the USB drives currently certif
> [!WARNING]
> Using a USB drive that has not been certified is not supported.
-- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714))
-- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://go.microsoft.com/fwlink/p/?LinkId=618717))
-- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://go.microsoft.com/fwlink/p/?LinkId=618718))
+- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://www.kingston.com/support/technical/products?model=dtws))
+- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://www.kingston.com/support/technical/products?model=dtws))
+- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://www.kingston.com/support/technical/products?model=dtws))
- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
- Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 1103564dea..ac597ae387 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,6 +1,6 @@
---
title: How Windows Update works
-description: Learn how Windows Update works, including architecture and troubleshooting
+description: Learn how Windows Update works, including architecture and troubleshooting.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 81adf9756d..ae41811326 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -125,9 +125,9 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha
## Configure when devices receive Quality Updates
-Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
+Quality updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
-You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
+You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates.
>[!IMPORTANT]
>This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise.
@@ -146,7 +146,7 @@ You can set your system to receive updates for other Microsoft products—known
## Pause quality updates
-You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again.
+You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
@@ -201,9 +201,9 @@ The policy settings to **Select when Feature Updates are received** allows you t
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: **Update/BranchReadinessLevel**
-## Exclude drivers from Quality Updates
+## Exclude drivers from quality updates
-Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete.
+Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to feature updates, where drivers might be dynamically installed to ensure the feature update process can complete.
**Policy settings to exclude drivers**
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 23a3c73b90..4f6bf5db20 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,6 +1,6 @@
---
title: Overview of Windows as a service (Windows 10)
-description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
+description: Windows as a service introduces a new way to build, deploy, and service Windows. Learn how Windows as a service works.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 1cec56cb46..89b24aea50 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -7,8 +7,8 @@ ms.manager: elizapo
audience: itpro
itproauthor: jaimeo
author: jaimeo
+description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
ms.audience: itpro
-author: jaimeo
ms.reviewer:
manager: laurawi
ms.localizationpriority: high
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 5b7b68067e..47cb14f395 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -1,6 +1,6 @@
---
title: Get started with Windows Update
-description: Learn how Windows Update works, including architecture and troubleshooting
+description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index 0d7b34374e..828c0bf6b7 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -1,6 +1,6 @@
---
title: Setting up Automatic Update in Windows Update for Business (Windows 10)
-description: Learn how to get started using Windows Update for Business.
+description: Learn how to configure Automatic Update group policies in Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index f1513ece69..10037c56b2 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -1,6 +1,6 @@
---
title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10)
-description: Learn how to get started using Windows Update for Business.
+description: Learn how to manage feature and quality updates using group policies in Windows Update for Business.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index ddb3d63a10..71ebf32bab 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -3,7 +3,7 @@ title: Log files - Windows IT Pro
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+description: Learn how to interpret the log files generated during the Windows 10 upgrade process.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,7 +27,8 @@ ms.topic: article
Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code.
-Note: Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files.
+>[!NOTE]
+>Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files.
The following table describes some log files and how to use them for troubleshooting purposes:
@@ -79,7 +80,7 @@ See the following example:
## Analyze log files
->The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes).
+The following instructions are meant for IT professionals. Also see the [Upgrade error codes](upgrade-error-codes.md) section in this guide to familiarize yourself with [result codes](upgrade-error-codes.md#result-codes) and [extend codes](upgrade-error-codes.md#extend-codes).
To analyze Windows Setup log files:
@@ -110,7 +111,7 @@ See the following example:
For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
->Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
+Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
setuperr.log content:
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 01850db7f6..fa2817f19b 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -1,239 +1,243 @@
----
-title: Quick fixes - Windows IT Pro
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.topic: article
----
-
-# Quick fixes
-
-**Applies to**
-- Windows 10
-
->[!NOTE]
->This is a 100 level topic (basic).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
-
-The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10).
-
-The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times.
-
->You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis.
-
-## List of fixes
-
-
-
Remove nonessential external hardware, such as docks and USB devices. More information.
-
Check the system drive for errors and attempt repairs. More information.
Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
-
Temporarily uninstall non-Microsoft antivirus software.
- More information.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
-
Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
-
-
-## Step by step instructions
-
-### Remove external hardware
-
-If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)).
-
-Unplug nonessential external hardware devices from the computer, such as:
-- Headphones
-- Joysticks
-- Printers
-- Plotters
-- Projectors
-- Scanners
-- Speakers
-- USB flash drives
-- Portable hard drives
-- Portable CD/DVD/Blu-ray drives
-- Microphones
-- Media card readers
-- Cameras/Webcams
-- Smart phones
-- Secondary monitors, keyboards, mice
-
-For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware)
-
-### Repair the system drive
-
-The system drive is the drive that contains the [system partition](https://docs.microsoft.com/windows-hardware/manufacture/desktop/hard-drives-and-partitions#span-idpartitionsspanspan-idpartitionsspanspan-idpartitionsspanpartitions). This is usually the **C:** drive.
-
-To check and repair errors on the system drive:
-
-1. Click **Start**.
-2. Type **command**.
-3. Right-click **Command Prompt** and then left-click **Run as administrator**.
-4. If you are prompted by UAC, click **Yes**.
-5. Type **chkdsk /F** and press ENTER.
-6. When you are prompted to schedule a check the next time the system restarts, type **Y**.
-7. See the following example
-
- ```
- C:\WINDOWS\system32>chkdsk /F
- The type of the file system is NTFS.
- Cannot lock current drive.
-
- Chkdsk cannot run because the volume is in use by another
- process. Would you like to schedule this volume to be
- checked the next time the system restarts? (Y/N) Y
-
- This volume will be checked the next time the system restarts.
- ```
-
-8. Restart the computer. The computer will pause before loading Windows and perform a repair of your hard drive.
-
-### Windows Update Troubleshooter
-
-The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating.
-
-For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu).
-
-For Windows 10, the tool is [here](https://aka.ms/wudiag).
-
-To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems.
-
-You can also download the Windows Update Troubleshooter by starting the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/), typing **update Windows**, selecting the version of Windows you are running, and then answering **Yes** when asked "Do you need help troubleshooting Windows Update?"
-
-If any errors are displayed in the Windows Update Troubleshooter, use the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) to ask about these errors. The Virtual Agent will perform a search and provide a list of helpful links.
-
-### Repair system files
-
-This fix is also described in detail at [answers.microsoft.com](https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93).
-
-To check and repair system files:
-
-1. Click **Start**.
-2. Type **command**.
-3. Right-click **Command Prompt** and then left-click **Run as administrator**.
-4. If you are prompted by UAC, click **Yes**.
-5. Type **sfc /scannow** and press ENTER. See the following example:
-
- ```
- C:\>sfc /scannow
-
- Beginning system scan. This process will take some time.
-
- Beginning verification phase of system scan.
- Verification 100% complete.
-
- Windows Resource Protection did not find any integrity violations.
- ```
-6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example:
-
- ```
- C:\>DISM.exe /Online /Cleanup-image /Restorehealth
-
- Deployment Image Servicing and Management tool
- Version: 10.0.16299.15
-
- Image Version: 10.0.16299.309
-
- [==========================100.0%==========================] The restore operation completed successfully.
- The operation completed successfully.
-
- ```
- >It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
-
-
-### Update Windows
-
-You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer.
-
-The Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) can walk you through the process of making sure that Windows is updated.
-
-Start the [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) and then type "update windows."
-
-Answer questions that the agent asks, and follow instructions to ensure that Windows is up to date. You can also run the [Windows Update Troubleshooter](#windows-update-troubleshooter) described above.
-
-Click **Start**, click power options, and then restart the computer.
-
-### Uninstall non-Microsoft antivirus software
-
-Use Windows Defender for protection during the upgrade.
-
-Verify compatibility information, and if desired re-install antivirus applications after the upgrade. If you plan to re-install the application after upgrading, be sure that you have the installation media and all required activation information before removing the program.
-
-To remove the application, go to **Control Panel\Programs\Programs and Features** and click the antivirus application, then click Uninstall. Choose **Yes** when you are asked to confirm program removal.
-
-For more information, see [Windows 7 - How to properly uninstall programs](https://support.microsoft.com/help/2601726) or [Repair or remove programs in Windows 10](https://support.microsoft.com/help/4028054/windows-repair-or-remove-programs-in-windows-10).
-
-### Uninstall non-essential software
-
-Outdated applications can cause problems with a Windows upgrade. Removing old or non-essential applications from the computer can therefore help.
-
-If you plan to reinstall the application later, be sure that you have the installation media and all required activation information before removing it.
-
-To remove programs, use the same steps as are provided [above](#uninstall-non-microsoft-antivirus-software) for uninstalling non-Microsoft antivirus software, but instead of removing the antivirus application repeat the steps for all your non-essential, unused, or out-of-date software.
-
-### Update firmware and drivers
-
-Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed.
-
-Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
-
-To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions.
-
-### Ensure that "Download and install updates" is selected
-
-When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example:
-
-
-
-### Verify disk space
-
-You can see a list of requirements for Windows 10 at [Windows 10 Specifications & System Requirements](https://www.microsoft.com/windows/windows-10-specifications). One of the requirements is that enough hard drive space be available for the installation to take place. At least 16 GB of free space must be available on the system drive to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
-
-To view how much hard drive space is available on your computer, open [File Explorer](https://support.microsoft.com/help/4026617/windows-windows-explorer-has-a-new-name). In Windows 7, this was called Windows Explorer.
-
-In File Explorer, click on **Computer** or **This PC** on the left, then look under **Hard Disk Drives** or under **Devices and drives**. If there are multiple drives listed, the system drive is the drive that includes a Microsoft Windows logo above the drive icon.
-
-The amount of space available on the system drive will be displayed under the drive. See the following example:
-
-
-
-In the previous example, there is 703 GB of available free space on the system drive (C:).
-
-To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example:
-
-
-
-For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space).
-
-When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version.
-
-### Open an elevated command prompt
-
->It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool.
-
-To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7).
-
-Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23).
-
-If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder.
-
-If you downloaded the SetupDiag.exe program to your computer, then copied it to the folder C:\new, and you opened an elevated command prompt then typed cd c:\new to change to this directory, you can just type setupdiag and press ENTER to run the program. This program will analyze the files on your computer to see why a Windows Upgrade failed and if the reason was a common one, it will report this reason. It will not fix the problem for you but knowing why the upgrade failed enables you to take steps to fix the problem.
-
-## Related topics
-
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+---
+title: Quick fixes - Windows IT Pro
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description: Learn how to quickly resolve many problems which may come up during a Windows 10 upgrade.
+keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Quick fixes
+
+**Applies to**
+- Windows 10
+
+>[!NOTE]
+>This is a 100 level topic (basic).
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+
+The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10).
+
+The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times.
+
+> [!TIP]
+> You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis.
+
+## List of fixes
+
+
+
Remove nonessential external hardware, such as docks and USB devices. More information.
+
Check the system drive for errors and attempt repairs. More information.
Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
+
Temporarily uninstall non-Microsoft antivirus software.
+ More information.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
+
Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
+
+
+## Step by step instructions
+
+### Remove external hardware
+
+If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)).
+
+Unplug nonessential external hardware devices from the computer, such as:
+- Headphones
+- Joysticks
+- Printers
+- Plotters
+- Projectors
+- Scanners
+- Speakers
+- USB flash drives
+- Portable hard drives
+- Portable CD/DVD/Blu-ray drives
+- Microphones
+- Media card readers
+- Cameras/Webcams
+- Smart phones
+- Secondary monitors, keyboards, mice
+
+For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware)
+
+### Repair the system drive
+
+The system drive is the drive that contains the [system partition](https://docs.microsoft.com/windows-hardware/manufacture/desktop/hard-drives-and-partitions#span-idpartitionsspanspan-idpartitionsspanspan-idpartitionsspanpartitions). This is usually the **C:** drive.
+
+To check and repair errors on the system drive:
+
+1. Click **Start**.
+2. Type **command**.
+3. Right-click **Command Prompt** and then left-click **Run as administrator**.
+4. If you are prompted by UAC, click **Yes**.
+5. Type **chkdsk /F** and press ENTER.
+6. When you are prompted to schedule a check the next time the system restarts, type **Y**.
+7. See the following example
+
+ ```
+ C:\WINDOWS\system32>chkdsk /F
+ The type of the file system is NTFS.
+ Cannot lock current drive.
+
+ Chkdsk cannot run because the volume is in use by another
+ process. Would you like to schedule this volume to be
+ checked the next time the system restarts? (Y/N) Y
+
+ This volume will be checked the next time the system restarts.
+ ```
+
+8. Restart the computer. The computer will pause before loading Windows and perform a repair of your hard drive.
+
+### Windows Update Troubleshooter
+
+The Windows Update troubleshooter tool will automatically analyze and fix problems with Windows Update, such as a corrupted download. It will also tell you if there is a pending reboot that is preventing Windows from updating.
+
+For Windows 7 and 8.1, the tool is [here](https://aka.ms/diag_wu).
+
+For Windows 10, the tool is [here](https://aka.ms/wudiag).
+
+To run the tool, click the appropriate link above. Your web browser will prompt you to save or open the file. Select **open** and the tool will automatically start. The tool will walk you through analyzing and fixing some common problems.
+
+You can also download the Windows Update Troubleshooter by starting the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/), typing **update Windows**, selecting the version of Windows you are running, and then answering **Yes** when asked "Do you need help troubleshooting Windows Update?"
+
+If any errors are displayed in the Windows Update Troubleshooter, use the Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) to ask about these errors. The Virtual Agent will perform a search and provide a list of helpful links.
+
+### Repair system files
+
+This fix is also described in detail at [answers.microsoft.com](https://answers.microsoft.com/en-us/windows/forum/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93).
+
+To check and repair system files:
+
+1. Click **Start**.
+2. Type **command**.
+3. Right-click **Command Prompt** and then left-click **Run as administrator**.
+4. If you are prompted by UAC, click **Yes**.
+5. Type **sfc /scannow** and press ENTER. See the following example:
+
+ ```
+ C:\>sfc /scannow
+
+ Beginning system scan. This process will take some time.
+
+ Beginning verification phase of system scan.
+ Verification 100% complete.
+
+ Windows Resource Protection did not find any integrity violations.
+ ```
+6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example:
+
+ ```
+ C:\>DISM.exe /Online /Cleanup-image /Restorehealth
+
+ Deployment Image Servicing and Management tool
+ Version: 10.0.16299.15
+
+ Image Version: 10.0.16299.309
+
+ [==========================100.0%==========================] The restore operation completed successfully.
+ The operation completed successfully.
+
+ ```
+ > [!NOTE]
+ > It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/repair-a-windows-image).
+
+
+### Update Windows
+
+You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer.
+
+The Microsoft [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) can walk you through the process of making sure that Windows is updated.
+
+Start the [Virtual Agent](https://support.microsoft.com/contact/virtual-agent/) and then type "update windows."
+
+Answer questions that the agent asks, and follow instructions to ensure that Windows is up to date. You can also run the [Windows Update Troubleshooter](#windows-update-troubleshooter) described above.
+
+Click **Start**, click power options, and then restart the computer.
+
+### Uninstall non-Microsoft antivirus software
+
+Use Windows Defender for protection during the upgrade.
+
+Verify compatibility information, and if desired re-install antivirus applications after the upgrade. If you plan to re-install the application after upgrading, be sure that you have the installation media and all required activation information before removing the program.
+
+To remove the application, go to **Control Panel\Programs\Programs and Features** and click the antivirus application, then click Uninstall. Choose **Yes** when you are asked to confirm program removal.
+
+For more information, see [Windows 7 - How to properly uninstall programs](https://support.microsoft.com/help/2601726) or [Repair or remove programs in Windows 10](https://support.microsoft.com/help/4028054/windows-repair-or-remove-programs-in-windows-10).
+
+### Uninstall non-essential software
+
+Outdated applications can cause problems with a Windows upgrade. Removing old or non-essential applications from the computer can therefore help.
+
+If you plan to reinstall the application later, be sure that you have the installation media and all required activation information before removing it.
+
+To remove programs, use the same steps as are provided [above](#uninstall-non-microsoft-antivirus-software) for uninstalling non-Microsoft antivirus software, but instead of removing the antivirus application repeat the steps for all your non-essential, unused, or out-of-date software.
+
+### Update firmware and drivers
+
+Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed.
+
+Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions.
+
+### Ensure that "Download and install updates" is selected
+
+When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example:
+
+
+
+### Verify disk space
+
+You can see a list of requirements for Windows 10 at [Windows 10 Specifications & System Requirements](https://www.microsoft.com/windows/windows-10-specifications). One of the requirements is that enough hard drive space be available for the installation to take place. At least 16 GB of free space must be available on the system drive to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
+
+To view how much hard drive space is available on your computer, open [File Explorer](https://support.microsoft.com/help/4026617/windows-windows-explorer-has-a-new-name). In Windows 7, this was called Windows Explorer.
+
+In File Explorer, click on **Computer** or **This PC** on the left, then look under **Hard Disk Drives** or under **Devices and drives**. If there are multiple drives listed, the system drive is the drive that includes a Microsoft Windows logo above the drive icon.
+
+The amount of space available on the system drive will be displayed under the drive. See the following example:
+
+
+
+In the previous example, there is 703 GB of available free space on the system drive (C:).
+
+To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example:
+
+
+
+For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space).
+
+When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version.
+
+### Open an elevated command prompt
+
+> [!TIP]
+> It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool.
+
+To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7).
+
+Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23).
+
+If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder.
+
+If you downloaded the SetupDiag.exe program to your computer, then copied it to the folder C:\new, and you opened an elevated command prompt then typed cd c:\new to change to this directory, you can just type setupdiag and press ENTER to run the program. This program will analyze the files on your computer to see why a Windows Upgrade failed and if the reason was a common one, it will report this reason. It will not fix the problem for you but knowing why the upgrade failed enables you to take steps to fix the problem.
+
+## Related topics
+
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
+ [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
+ [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+ [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 64f031f72e..7b336767e8 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -3,7 +3,7 @@ title: Resolution procedures - Windows IT Pro
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+description: Discover general troubleshooting procedures for dealing with 0xC1900101, the generic rollback code thrown when something goes wrong during a Windows 10 upgrade.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
@@ -18,38 +18,38 @@ ms.topic: article
# Resolution procedures
**Applies to**
-- Windows 10
-
->[!NOTE]
->This is a 200 level topic (moderate).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+- Windows 10
+> [!NOTE]
+> This is a 200 level topic (moderate).
+> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
## 0xC1900101
-A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
+A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp,
- Event logs: $Windows.~bt\Sources\Rollback\*.evtx
- The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log
-The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
+The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).
- See the following general troubleshooting procedures associated with a result code of 0xC1900101:
+To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
+See the following general troubleshooting procedures associated with a result code of 0xC1900101:
-
Code
-
0xC1900101 - 0x20004
+
Code
+
0xC1900101 - 0x20004
-
+
Cause
-
Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation
+
Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
This is generally caused by out-of-date drivers.
@@ -69,11 +69,11 @@ The device install log is particularly helpful if rollback occurs during the sys
-
Code
-
0xC1900101 - 0x2000c
+
Code
+
0xC1900101 - 0x2000c
-
+
Cause
Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
This is generally caused by out-of-date drivers.
@@ -91,16 +91,15 @@ The device install log is particularly helpful if rollback occurs during the sys
-
-
Code
+
Code
0xC1900101 - 0x20017
-
+
Cause
A driver has caused an illegal operation.
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
@@ -113,9 +112,9 @@ The device install log is particularly helpful if rollback occurs during the sys
Mitigation
-Ensure that all that drivers are updated.
-Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
- For more information, see Understanding Failures and Log Files.
+Ensure that all that drivers are updated.
+ Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
+ For more information, see Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations.
Update or uninstall the problem drivers.
@@ -124,11 +123,11 @@ Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory,
-
Code
-
0xC1900101 - 0x30018
+
Code
+
0xC1900101 - 0x30018
-
+
Cause
A device driver has stopped responding to setup.exe during the upgrade process.
@@ -149,11 +148,11 @@ Disconnect all peripheral devices that are connected to the system, except for t
-
Code
-
0xC1900101 - 0x3000D
+
Code
+
0xC1900101 - 0x3000D
-
+
Cause
Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
This can occur due to a problem with a display driver.
@@ -175,16 +174,15 @@ Disconnect all peripheral devices that are connected to the system, except for t
-
Code
-
0xC1900101 - 0x4000D
+
Code
+
0xC1900101 - 0x4000D
-
+
Cause
A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
-
- This can occur due to incompatible drivers.
+ This can occur because of incompatible drivers.
@@ -194,40 +192,39 @@ Disconnect all peripheral devices that are connected to the system, except for t
Mitigation
- Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
+Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases:
- Info SP Crash 0x0000007E detected
- Info SP Module name :
- Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
- Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
- Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
- Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
- Info SP Cannot recover the system.
- Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
+
+Info SP Crash 0x0000007E detected
+Info SP Module name :
+Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
+Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
+Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
+Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
+Info SP Cannot recover the system.
+Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
-
- Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
+Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing.
-
+
-
-
Code
-
0xC1900101 - 0x40017
+
Code
+
0xC1900101 - 0x40017
-
+
Cause
Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers.
@@ -237,23 +234,61 @@ Disconnect all peripheral devices that are connected to the system, except for t
-
Mitigation
-
Clean boot into Windows, and then attempt the upgrade to Windows 10.
+
+Mitigation
+
-For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
+Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
+
+Ensure that you select the option to "Download and install updates (recommended)."
+
+Computers that run Citrix VDA
+You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
+
+This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
+
+**Resolution**
+
+To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
+
+You can work around this problem in two ways
+
+**Workaround 1**
+
+1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
+1. Run the Windows upgrade again.
+1. Reinstall Citrix VDA.
+
+**Workaround 2**
+
+If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
+
+1. In Registry Editor, go to the following subkey:
+ ```
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc
+ ```
+1. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
+1. Go to the following subkey:
+ ```
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
+ ```
+1. Delete the **CtxMcsWbc** entry.
+1. Restart the computer, and then try the upgrade again.
+
+> **Third-party information disclaimer**
+> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
-
Ensure you select the option to "Download and install updates (recommended)."
-
0x800xxxxx
+## 0x800xxxxx
- Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
+Result codes that start with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
- See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
@@ -262,15 +297,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
Code
-
80040005 - 0x20007
-
+
Cause
-
An unspecified error occurred with a driver during the SafeOS phase.
@@ -293,17 +326,15 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
-
The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
@@ -324,17 +355,15 @@ These errors occur during partition analysis and validation, and can be caused b
-
Code
+
Code
-
800704B8 - 0x3001A
-
+
Cause
-
An extended error has occurred during the first boot phase.
@@ -355,17 +384,15 @@ Disable or uninstall non-Microsoft antivirus applications, disconnect all unnece
-
Code
+
Code
-
8007042B - 0x4000D
-
+
Cause
-
The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This issue can occur due to file system, application, or driver issues.
@@ -387,17 +414,15 @@ The installation failed during the second boot phase while attempting the MIGRAT
-
Code
+
Code
-
8007001F - 0x3000D
-
+
Cause
-
The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation.
@@ -413,7 +438,8 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT
This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
-Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
+> [!NOTE]
+> If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.
@@ -424,17 +450,15 @@ To repair this error, ensure that deleted accounts are not still present in the
-
Code
+
Code
-
8007001F - 0x4000D
-
+
Cause
-
General failure, a device attached to the system is not functioning.
@@ -455,17 +479,15 @@ General failure, a device attached to the system is not functioning.
-
Code
+
Code
-
8007042B - 0x4001E
-
+
Cause
-
The installation failed during the second boot phase while attempting the PRE_OOBE operation.
@@ -488,12 +510,12 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
## Other result codes
-
+
-
Error code
-
Cause
-
Mitigation
+
Error code
+
Cause
+
Mitigation
@@ -505,10 +527,9 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
0xC1900200
Setup.exe has detected that the machine does not meet the minimum system requirements.
-
Ensure the system you are trying to upgrade meets the minimum system requirements. See Windows 10 specifications for information.
+
Ensure the system you are trying to upgrade meets the minimum system requirements. See Windows 10 specifications for information.
-
0x80090011
A device driver error occurred during user data migration.
@@ -534,13 +555,13 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
Attempt other methods of upgrading the operating system.
Download and run the media creation tool. See Download windows 10.
Attempt to upgrade using .ISO or USB.
-Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center.
+Note Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center.
0x80244018
Your machine is connected through a proxy server.
-
Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).
+
Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).
Restart the device and run setup again. If restarting the device does not resolve the issue, then use the Disk Cleanup utility and clean up the temporary files as well as the System files. For more information, see Disk cleanup in Windows 10.
0xC1900209
The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications.
Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See Windows 10 Pre-Upgrade Validation using SETUP.EXE for more information.
-
- You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools.
+ You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.
-
0x8007002
This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403)
Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
-
The error 80072efe means that the connection with the server was terminated abnormally.
-
To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.
0x80240FFF
-
Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.
-
You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
-
+
Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.
+
You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.
+
Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.
Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
-
Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
Open Administrative Tools from the Control Panel.
Double-click Services.
-
Find the Windows Update service, right-click it, and then click Stop. If prompted, enter your credentials.
+
Find the Windows Update service, right-click it, and then select Stop. If prompted, enter your credentials.
Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
@@ -630,7 +645,7 @@ Download and run the media creation tool. See Error Codes
Cause
Mitigation
0x80070003- 0x20007
@@ -657,9 +672,9 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.
-
See Windows 10 Specifications and verify the computer meets minimum requirements.
+See Windows 10 Specifications and verify the computer meets minimum requirements.
- Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
+Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
0x80070004 - 0x3000D
This is a problem with data migration during the first boot phase. There are multiple possible causes.
@@ -680,7 +695,8 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
These errors indicate the computer does not have enough free space available to install the upgrade.
To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to free up drive space before proceeding with the upgrade.
- Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
+> [!NOTE]
+> If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby.
@@ -714,8 +730,8 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. |
| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. |
| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. |
-| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. |
-| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. |
+| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download disk space issues were not resolved within the required time limit. |
+| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install disk space issues were not resolved within the required time limit. |
| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. |
| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. |
| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. |
@@ -744,9 +760,9 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. |
| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. |
| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. |
-| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. |
+| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the disk space requirements to download the payload. |
| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. |
-| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. |
+| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the disk space requirements to install the payload. |
| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. |
| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. |
| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. |
@@ -765,8 +781,8 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
## Related topics
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+- [Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
+- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
+- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/home?category=Windows10ITPro)
+- [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index e06f80e04b..c429b8496c 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -3,7 +3,7 @@ title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+description: Understanding the Windows 10 upgrade process can help you troubleshoot errors when something goes wrong. Find out more with this guide.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 7f4624ce3a..5bb2a95e0c 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -3,7 +3,7 @@ title: Upgrade error codes - Windows IT Pro
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+description: Understand the error codes that may come up if something goes wrong during the Windows 10 upgrade process.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
@@ -30,7 +30,7 @@ If the upgrade process is not successful, Windows Setup will return two codes:
1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred.
->For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
+For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**.
Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned.
@@ -39,7 +39,7 @@ Note: If only a result code is returned, this can be because a tool is being use
## Result codes
->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
+A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings:
@@ -77,7 +77,8 @@ Some result codes are self-explanatory, whereas others are more generic and requ
## Extend codes
->**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
+>[!IMPORTANT]
+>Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update.
Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation:
diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
index af934eec08..58e8a9e6c2 100644
--- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
+++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
@@ -33,7 +33,7 @@ In order to use the direct connection scenario, set the parameter **ClientProxy=
### Connection through the WinHTTP proxy
-This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication.
+This is the first and most simple proxy scenario.
In order to set the WinHTTP proxy system-wide on your computers, you need to
- Use the command netsh winhttp set proxy \:\
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 513ae0cfd8..c6118f8f14 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -1,6 +1,6 @@
---
title: Perform in-place upgrade to Windows 10 via Configuration Manager
-description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
+description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a SCCM task sequence.
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 499fef06bd..562773ef21 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -3,7 +3,7 @@ title: Windows error reporting - Windows IT Pro
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
+description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 1ee21e76d4..74dbc40088 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -1,59 +1,60 @@
----
-title: User State Migration Tool (USMT) Technical Reference (Windows 10)
-description: The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
-ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# User State Migration Tool (USMT) Technical Reference
-The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
-
-Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803).
-
-**USMT support for Microsoft Office**
->USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
->USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
-
-USMT includes three command-line tools:
-
-- ScanState.exe
-- LoadState.exe
-- UsmtUtils.exe
-
-USMT also includes a set of three modifiable .xml files:
-
-- MigApp.xml
-- MigDocs.xml
-- MigUser.xml
-
-Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
-
-USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
-
-## In This Section
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.|
-|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.|
-|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.|
-|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
-
-## Related topics
-- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx)
-
-
-
-
-
-
-
-
-
+---
+title: User State Migration Tool (USMT) Technical Reference (Windows 10)
+description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals.
+ms.assetid: f90bf58b-5529-4520-a9f8-b6cb4e4d3add
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# User State Migration Tool (USMT) Technical Reference
+The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+
+Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803).
+
+**USMT support for Microsoft Office**
+>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
+>USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
+
+USMT includes three command-line tools:
+
+- ScanState.exe
+- LoadState.exe
+- UsmtUtils.exe
+
+USMT also includes a set of three modifiable .xml files:
+
+- MigApp.xml
+- MigDocs.xml
+- MigUser.xml
+
+Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+
+USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
+
+## In This Section
+|Topic |Description|
+|------|-----------|
+|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.|
+|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.|
+|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.|
+|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
+
+## Related topics
+- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/volume-activation/images/vamt-known-issue-message.png b/windows/deployment/volume-activation/images/vamt-known-issue-message.png
new file mode 100644
index 0000000000..5ce1a31e1f
Binary files /dev/null and b/windows/deployment/volume-activation/images/vamt-known-issue-message.png differ
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index c5c02eb7d8..6ced1398db 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -1,232 +1,232 @@
----
-title: Plan for volume activation (Windows 10)
-description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
-ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 09/27/2017
-ms.topic: article
----
-
-# Plan for volume activation
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
-
-During the activation process, information about the specific installation is examined. In the case of online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization.
-
->[!NOTE]
->The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets.
-
-## Distribution channels and activation
-
-In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods.
-
-### Retail activations
-
-The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
-Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
-
-### Original equipment manufacturer
-
-Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required.
-OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled.
-
-### Volume licensing
-
-Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
-- Have the license preinstalled through the OEM.
-- Purchase a fully packaged retail product.
-
-The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
-Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
-
-**Note**
-Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
-
-## Activation models
-
-For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
-
-With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
-- Online activation
-- Telephone activation
-- VAMT proxy activation
-
-Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
-- MAKs
-- KMS
-- Active Directory-based activation
-
-**Note**
-A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
-Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
-
-### Multiple activation key
-
-A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
-allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS.
-
-To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
-In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain.
-
-Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
-
-### Key Management Service
-
-With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services.
-
-Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
-
-The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
-
-Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
-
-### Active Directory-based activation
-
-Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
-
-Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
-
-## Network and connectivity
-
-A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur.
-
-### Core network
-
-Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network.
-
-In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
-
-A typical core network that includes a KMS host is shown in Figure 1.
-
-
-
-**Figure 1**. Typical core network
-
-### Isolated networks
-
-In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
-
-**Isolated for security**
-
-Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
-
-If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
-
-If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
-
-If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
-
-If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
-
-
-
-**Figure 2**. New KMS host in an isolated network
-
-**Branch offices and distant networks**
-From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
-- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
-- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
-- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
-- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
-
-### Disconnected computers
-
-Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
-If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
-
-### Test and development labs
-
-Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately.
-If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide.
-In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
-
-## Mapping your network to activation methods
-
-Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination.
-
-**Table 1**. Criteria for activation methods
-
-|Criterion |Activation method |
-|----------|------------------|
-|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
-|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days
Note The core network must meet the KMS activation threshold. |KMS (central) |
-|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM |
-|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
-|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
-|Number of computers in isolated networks where the KMS activation threshold is not met |MAK |
-|Number of computers in test and development labs that will not be activated |None|
-|Number of computers that do not have a retail volume license |Retail (online or phone) |
-|Number of computers that do not have an OEM volume license |OEM (at factory) |
-|Total number of computer activations
Note This total should match the total number of licensed computers in your organization. |
-
-## Choosing and acquiring keys
-
-When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
-- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
-- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
-
-### KMS host keys
-
-A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
-
-A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation.
-
-### Generic volume licensing keys
-
-When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys.
-
-Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential.
-
-Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx).
-
-### Multiple activation keys
-
-You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
-
-## Selecting a KMS host
-
-The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
-KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
-A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
-
-The flow of KMS activation is shown in Figure 3, and it follows this sequence:
-
-1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
-2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
-3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.)
-4. A client configured with a GVLK uses DNS to locate the KMS host.
-5. The client sends one packet to the KMS host.
-6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
-7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
-8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
-
-
-
-**Figure 3**. KMS activation flow
-
-## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Plan for volume activation (Windows 10)
+description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
+ms.assetid: f84b005b-c362-4a70-a84e-4287c0d2e4ca
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# Plan for volume activation
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
+
+During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization.
+
+>[!NOTE]
+>The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets.
+
+## Distribution channels and activation
+
+In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods.
+
+### Retail activations
+
+The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
+Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
+
+### Original equipment manufacturer
+
+Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required.
+OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled.
+
+### Volume licensing
+
+Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
+- Have the license preinstalled through the OEM.
+- Purchase a fully packaged retail product.
+
+The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
+Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
+
+**Note**
+Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
+
+## Activation models
+
+For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
+
+With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
+- Online activation
+- Telephone activation
+- VAMT proxy activation
+
+Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
+- MAKs
+- KMS
+- Active Directory-based activation
+
+**Note**
+Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
+Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
+
+### Multiple activation key
+
+A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
+allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS.
+
+To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
+In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain.
+
+Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
+
+### Key Management Service
+
+With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services.
+
+Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
+
+The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
+
+Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely will more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
+
+### Active Directory-based activation
+
+Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
+
+Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
+
+## Network and connectivity
+
+A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur.
+
+### Core network
+
+Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network.
+
+In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
+
+A typical core network that includes a KMS host is shown in Figure 1.
+
+
+
+**Figure 1**. Typical core network
+
+### Isolated networks
+
+In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
+
+**Isolated for security**
+
+Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
+
+If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
+
+If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
+
+If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
+
+If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
+
+
+
+**Figure 2**. New KMS host in an isolated network
+
+**Branch offices and distant networks**
+From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
+- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
+- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
+- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
+- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
+
+### Disconnected computers
+
+Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
+If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
+
+### Test and development labs
+
+Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately.
+If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide.
+In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
+
+## Mapping your network to activation methods
+
+Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination.
+
+**Table 1**. Criteria for activation methods
+
+|Criterion |Activation method |
+|----------|------------------|
+|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
+|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days
Note The core network must meet the KMS activation threshold. |KMS (central) |
+|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
+|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
+|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
+|Number of computers in isolated networks where the KMS activation threshold is not met |MAK |
+|Number of computers in test and development labs that will not be activated |None|
+|Number of computers that do not have a retail volume license |Retail (online or phone) |
+|Number of computers that do not have an OEM volume license |OEM (at factory) |
+|Total number of computer activations
Note This total should match the total number of licensed computers in your organization. |
+
+## Choosing and acquiring keys
+
+When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
+- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
+- Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
+
+### KMS host keys
+
+A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
+
+A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation.
+
+### Generic volume licensing keys
+
+When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys.
+
+Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK will not activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential.
+
+Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx).
+
+### Multiple activation keys
+
+You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
+
+## Selecting a KMS host
+
+The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
+KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
+A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
+
+The flow of KMS activation is shown in Figure 3, and it follows this sequence:
+
+1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
+2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
+3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.)
+4. A client configured with a GVLK uses DNS to locate the KMS host.
+5. The client sends one packet to the KMS host.
+6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
+7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
+8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
+
+
+
+**Figure 3**. KMS activation flow
+
+## See also
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index 39f4344b23..07047dd903 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -1,79 +1,80 @@
----
-title: Use the Volume Activation Management Tool (Windows 10)
-description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
-ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: vamt, volume activation, activation, windows activation
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.topic: article
----
-
-# Use the Volume Activation Management Tool
-
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
-
-**Looking for retail activation?**
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-
-The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
-
-By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be
-installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
-
-The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
-
-In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
-
-## Activating with the Volume Activation Management Tool
-
-You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
-- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
- By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
-
-## Tracking products and computers with the Volume Activation Management Tool
-
-The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
-
-
-
-**Figure 18**. The VAMT showing the licensing status of multiple computers
-
-## Tracking key usage with the Volume Activation Management Tool
-
-The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
-
-
-
-**Figure 19**. The VAMT showing key types and usage
-
-## Other Volume Activation Management Tool features
-
-The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
-- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
-- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
-- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
-
-For more information, see:
-- [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266)
-- [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267)
-
-## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
-
-
+---
+title: Use the Volume Activation Management Tool (Windows 10)
+description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
+ms.assetid: b11f0aee-7b60-44d1-be40-c960fc6c4c47
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: vamt, volume activation, activation, windows activation
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.localizationpriority: medium
+ms.date: 07/27/2017
+ms.topic: article
+---
+
+# Use the Volume Activation Management Tool
+
+**Applies to**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+**Looking for retail activation?**
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
+
+By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be
+installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
+
+The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
+
+In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
+
+## Activating with the Volume Activation Management Tool
+
+You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
+- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
+ By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
+
+## Tracking products and computers with the Volume Activation Management Tool
+
+The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
+
+
+
+**Figure 18**. The VAMT showing the licensing status of multiple computers
+
+## Tracking key usage with the Volume Activation Management Tool
+
+The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
+
+
+
+**Figure 19**. The VAMT showing key types and usage
+
+## Other Volume Activation Management Tool features
+
+The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
+- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
+- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
+- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
+
+For more information, see:
+- [Volume Activation Management Tool (VAMT) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618266)
+- [VAMT Step-by-Step Scenarios](https://go.microsoft.com/fwlink/p/?LinkId=618267)
+
+## See also
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 70933d12f6..8022121cb3 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -1,25 +1,69 @@
----
-title: VAMT Known Issues (Windows 10)
-description: VAMT Known Issues
-ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# VAMT Known Issues
-
-The following list contains the current known issues with the Volume Activation Management Tool (VAMT) 3.0.
-- The VAMT Windows Management Infrastructure (WMI) remote operations may take longer to execute if the target computer is in a sleep or standby state.
-- Recovery of Non-Genuine computers is a two-step process. VAMT can be used to install a new product key and activate the computer. However, the computer itself must visit the [Windows Genuine Advantage](https://go.microsoft.com/fwlink/p/?linkid=182914) Web site to revalidate the computer's Genuine status. Upon successfully completing this step, the computer will be restored to full functionality. For more information on recovering Non-Genuine Windows computers, go to [Windows Volume Activation](https://go.microsoft.com/fwlink/p/?linkid=184668).
-- When opening a Computer Information List (.cil file) saved in a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
-- The remaining activation count can only be retrieved for MAKs.
-
-
+---
+title: VAMT known issues (Windows 10)
+description: Volume Activation Management Tool (VAMT) known issues
+ms.assetid: 8992f1f3-830a-4ce7-a248-f3a6377ab77f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 12/17/2019
+ms.topic: article
+ms.custom:
+- CI 111496
+- CSSTroubleshooting
+---
+
+# VAMT known issues
+
+The following list and the section that follows contain the current known issues regarding the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
+
+- VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
+- When opening a Computer Information List (CIL file) that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
+- The remaining activation count can only be retrieved for MAKs.
+
+## Can't add CSVLKs for Windows 10 activation to VAMT 3.1
+
+When you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message:
+
+> The specified product key is invalid, or is unsupported by this version of VAMT. An update to support additional products may be available online.
+
+
+
+This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key.
+
+### Workaround
+
+To work around this issue, use one of the following methods.
+
+**Method 1**
+
+Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command-line tool to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
+
+**Method 2**
+
+On the KMS host computer, follow these steps:
+
+1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
+
+1. In Windows Explorer, right-click **485392_intl_x64_zip**, and then extract the hotfix to **C:\KB3058168**.
+
+1. To extract the contents of the update, open a Command Prompt window and run the following command:
+
+ ```cmd
+ expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
+ ```
+
+1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
+
+ ```cmd
+ expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
+ ```
+
+1. In the "C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716\" folder, copy the **pkeyconfig-csvlk.xrm-ms** file. Paste this file to the "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig" folder.
+
+1. Restart VAMT.
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index b517ac9410..c73cbc4546 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,43 +1,44 @@
----
-title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
-description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
-ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
author: greg-lindsay
-ms.date: 04/25/2017
-ms.topic: article
----
-
-# Volume Activation Management Tool (VAMT) Technical Reference
-
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
-VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
-- Windows® 7 or above
-- Windows Server 2008 R2 or above
-
-
-**Important**
-VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above).
-
-VAMT is only available in an EN-US (x86) package.
-
-## In this Section
-
-|Topic |Description |
-|------|------------|
-|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
-|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
-|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
-|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
-|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
-|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
-|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
-|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
-|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
-
+---
+title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
+description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
+ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: activation
+audience: itpro
+author: greg-lindsay
+ms.date: 04/25/2017
+ms.topic: article
+---
+
+# Volume Activation Management Tool (VAMT) Technical Reference
+
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
+- Windows® 7 or above
+- Windows Server 2008 R2 or above
+
+
+**Important**
+VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above).
+
+VAMT is only available in an EN-US (x86) package.
+
+## In this Section
+
+|Topic |Description |
+|------|------------|
+|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
+|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
+|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
+|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
+|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
+|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
+|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
+|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
+|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
+
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index f308f019a8..a820b9e25b 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -1,6 +1,6 @@
---
title: Volume Activation for Windows 10
-description: This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
+description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
ms.assetid: 6e8cffae-7322-4fd3-882a-cde68187aef2
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 26151664de..ce54ecb1ff 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -1,275 +1,277 @@
----
-title: Windows 10 deployment scenarios (Windows 10)
-description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider.
-ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-keywords: upgrade, in-place, configuration, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.date: 11/06/2018
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 deployment scenarios
-
-**Applies to**
-- Windows 10
-
-To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
-
-The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
-- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
-- Traditional deployment methods use existing tools to deploy operating system images.
-
-
-
Category
-
Scenario
-
Description
-
More information
-
Modern
-
-
-[Windows Autopilot](#windows-autopilot)
-
- Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
-
-
-
-
-
->[!IMPORTANT]
->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
-
-## Modern deployment methods
-
-Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
-
-### Windows Autopilot
-
-Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
-
-For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
-
-### In-place upgrade
-
-For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
-
-Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
-
-The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
-
-Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
-
-Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
-
-- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
-
-- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
-
-There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
-
-- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
-- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
-- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
-- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
-
-
-## Dynamic provisioning
-
-For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
-
-The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
-
-### Windows 10 Subscription Activation
-
-Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
-
-
-### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
-
-In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
-
-### Provisioning package configuration
-
-Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
-
-These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
-
-While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
-
-## Traditional deployment:
-
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
-
-With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
-
-The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
-
-- **New computer.** A bare-metal deployment of a new machine.
-
-- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
-
-- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
-
-### New computer
-
-Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
-
-The deployment process for the new machine scenario is as follows:
-
-1. Start the setup from boot media (CD, USB, ISO, or PXE).
-
-2. Wipe the hard disk clean and create new volume(s).
-
-3. Install the operating system image.
-
-4. Install other applications (as part of the task sequence).
-
-After taking these steps, the computer is ready for use.
-
-### Computer refresh
-
-A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
-
-The deployment process for the wipe-and-load scenario is as follows:
-
-1. Start the setup on a running operating system.
-
-2. Save the user state locally.
-
-3. Wipe the hard disk clean (except for the folder containing the backup).
-
-4. Install the operating system image.
-
-5. Install other applications.
-
-6. Restore the user state.
-
-After taking these steps, the machine is ready for use.
-
-### Computer replace
-
-A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
-
-The deployment process for the replace scenario is as follows:
-
-1. Save the user state (data and settings) on the server through a backup job on the running operating system.
-
-2. Deploy the new computer as a bare-metal deployment.
-
- **Note** In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
-
-## Related topics
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
-- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
-- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
+---
+title: Windows 10 deployment scenarios (Windows 10)
+description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
+ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+keywords: upgrade, in-place, configuration, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.date: 11/06/2018
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 deployment scenarios
+
+**Applies to**
+- Windows 10
+
+To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
+
+The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
+- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
+- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
+- Traditional deployment methods use existing tools to deploy operating system images.
+
+
+
Category
+
Scenario
+
Description
+
More information
+
Modern
+
+
+[Windows Autopilot](#windows-autopilot)
+
+ Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
+
+
+
+
+
+>[!IMPORTANT]
+>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
+
+## Modern deployment methods
+
+Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
+
+### Windows Autopilot
+
+Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
+
+For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
+
+### In-place upgrade
+
+For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
+
+Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
+
+The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
+
+Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
+
+Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
+
+- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
+
+- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
+ - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+ - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
+
+There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
+
+- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
+- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
+
+
+## Dynamic provisioning
+
+For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
+
+The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
+
+### Windows 10 Subscription Activation
+
+Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
+
+
+### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
+
+In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+
+### Provisioning package configuration
+
+Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
+
+These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
+
+While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
+
+## Traditional deployment:
+
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+
+With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
+
+The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
+
+- **New computer.** A bare-metal deployment of a new machine.
+
+- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
+
+- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
+
+### New computer
+
+Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
+
+The deployment process for the new machine scenario is as follows:
+
+1. Start the setup from boot media (CD, USB, ISO, or PXE).
+
+2. Wipe the hard disk clean and create new volume(s).
+
+3. Install the operating system image.
+
+4. Install other applications (as part of the task sequence).
+
+After taking these steps, the computer is ready for use.
+
+### Computer refresh
+
+A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
+
+The deployment process for the wipe-and-load scenario is as follows:
+
+1. Start the setup on a running operating system.
+
+2. Save the user state locally.
+
+3. Wipe the hard disk clean (except for the folder containing the backup).
+
+4. Install the operating system image.
+
+5. Install other applications.
+
+6. Restore the user state.
+
+After taking these steps, the machine is ready for use.
+
+### Computer replace
+
+A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
+
+The deployment process for the replace scenario is as follows:
+
+1. Save the user state (data and settings) on the server through a backup job on the running operating system.
+
+2. Deploy the new computer as a bare-metal deployment.
+
+ **Note** In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
+
+## Related topics
+
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
+- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
+- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index c9973b520d..2bf8998e1e 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -1,6 +1,6 @@
---
title: Windows 10 deployment tools
-description: Learn about the tools available to deploy Windows 10.
+description: Browse through documentation describing Windows 10 deployment tools. Learn how to use these these tools to successfully deploy Windows 10 to your organization.
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index e46fc7ed24..2b435c0edc 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -1,94 +1,97 @@
----
-title: Windows 10 volume license media
-description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
-keywords: deploy, upgrade, update, software, media
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.date: 10/20/2017
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
author: greg-lindsay
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 volume license media
-
-
-**Applies to**
-
-- Windows 10
-
-With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
-
-## Windows 10 media
-
-To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.” A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
-
-When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
-
->If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
-
-In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change.
-
-### Windows 10, version 1709
-
-Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available.
-
-For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
-
-
-
-When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
-
-For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package:
-
-
-
-| Title | Classification | Description |
-| --- | --- | --- |
-| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 |
-| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 |
-
-
-
-When you approve one of these packages, it applies to all of the editions.
-
-This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology. For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas).
-
-
-### Language packs
-
-- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.
-- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
-
-See the following example for Windows 10, version 1709:
-
-
-
-### Features on demand
-
-[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
-
-Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image.
-
-
-## Related topics
-
-[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
- [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10)
- [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client)
- [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
- [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc)
-
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 volume license media
+description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
+keywords: deploy, upgrade, update, software, media
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.date: 10/20/2017
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 volume license media
+
+
+**Applies to**
+
+- Windows 10
+
+With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
+
+## Windows 10 media
+
+To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.” A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
+
+When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
+
+> [!NOTE]
+> If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
+
+In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change.
+
+### Windows 10, version 1709
+
+Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available.
+
+For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
+
+
+
+When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
+
+For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package:
+
+
+
+| Title | Classification | Description |
+| --- | --- | --- |
+| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 |
+| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 |
+
+
+
+When you approve one of these packages, it applies to all of the editions.
+
+This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology. For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas).
+
+
+### Language packs
+
+- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.
+- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
+
+See the following example for Windows 10, version 1709:
+
+
+
+### Features on demand
+
+[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
+
+Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image.
+
+
+## Related topics
+
+[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
+ [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10)
+ [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client)
+ [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
+ [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc)
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 8ceb4e28f5..bdb8c230c4 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,6 +1,6 @@
---
title: Windows 10 Subscription Activation
-description: How to dynamically enable Windows 10 Enterprise or Educations subscriptions
+description: How to dynamically enable Windows 10 Enterprise or Education subscriptions
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
@@ -85,13 +85,26 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
- Azure Active Directory (Azure AD) available for identity management.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
- >[!NOTE]
- >An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal.
-
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+#### Muti-factor authentication
+
+An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
+
+To resolve this issue:
+
+If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
+
+If the device is running Windows 10, version 1809 or later:
+1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
+2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
+
+
+
+
+
### Windows 10 Education requirements
1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index b64c35b077..d94b04fdcb 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -20,6 +20,7 @@
## [Enrollment Status Page](enrollment-status.md)
## [BitLocker encryption](bitlocker.md)
## [DFCI management](dfci-management.md)
+## [Windows Autopilot update](autopilot-update.md)
## [Troubleshooting](troubleshooting.md)
## [Known issues](known-issues.md)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index 096ebe1151..86c2c3e316 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -63,6 +63,9 @@ Note that the hardware hash also contains details about when it was generated, s
Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file.
+> [!Note]
+> Before uploading the CSV file on Intune, please make sure that the first row contains the device serial number, Windows product ID, hardware hash, group tag, and assigned user. If there is header information on the top of CSV file, please delete that header information. See details at [Enroll Windows devices in Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot).
+
### Collecting the hardware ID from existing devices using PowerShell
The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
index 563e086966..63f327622a 100644
--- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
+++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md
@@ -2,7 +2,7 @@
title: Windows Autopilot device guidelines
ms.reviewer:
manager: laurawi
-description: Windows Autopilot deployment
+description: Learn all about hardware, firmware, and software best practices for Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index b527168e97..e2ac992f75 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot FAQ
-ms.reviewer: This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
+ms.reviewer: This topic provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
manager: laurawi
description: Support information for Windows Autopilot
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
@@ -21,35 +21,36 @@ ms.topic: article
**Applies to: Windows 10**
-This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
+This article provides OEMs, partners, administrators, and end users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot.
-A [glossary](#glossary) of abbreviations used in this topic is provided at the end.
+A [glossary](#glossary) of abbreviations used in this article is provided at the end.
## Microsoft Partner Center
| Question | Answer |
| --- | --- |
-| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is this needed to allow the business customer to access their devices in MSfB? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. |
-| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed. |
-| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). |
-| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
-| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).|
-| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.
Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. |
-| Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
-| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:
1. Direct CSP: Gets direct authorization from the customer to register devices.
2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
+| In the Partner Center, does the Tenant ID need to be provided with every device file upload? Is it needed to allow the business customer to access their devices in Microsoft Store for Business (MSfB)? | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be reused with future device uploads. |
+| How does the customer or tenant know that their devices are ready to be claimed in MSfB? | After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM needs to advise the tenant to access MSfB. Autonotification from MSfB to the tenant is being developed. |
+| How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer that directs the customer to a consent page in MSfB. For more information, see [Registration](registration-auth.md). |
+| Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a Cloud Solution Provider (CSP) using the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. |
+| Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing Azure Active Directory (Azure AD) domain join in OOBE to a standard account (versus an administrator account by default).|
+| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account that has access to devices for testing the file. This can be done today in the Partner Center.
For more information, see [Create user accounts and set permissions](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions). |
+| Must I become a CSP to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. |
+| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority and access:
1. Direct CSP: Gets direct authorization from the customer to register devices.
2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which means that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
+
## Manufacturing
| Question | Answer |
| --- | --- |
| What changes need to be made in the factory OS image for customer configuration settings? |No changes are required on the factory floor to enable Windows Autopilot deployment. |
-| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash. |
-| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf. |
+| What version of the OA3 tool meets Windows Autopilot deployment requirements? | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K hardware hash. |
+| At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options? | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (that is, registration) completed on their behalf. |
| Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft? | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot. Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example). |
-| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts. |
-| Will there be any change to the existing CBR with 4k Hardware Hash? | No. |
-| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
+| Are there any customer impacts to upgrading from Windows 8 to Windows 10? | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment. Otherwise, there are no impacts. |
+| Will there be any change to the existing CBR with 4K hardware hash? | No. |
+| What new information needs to be sent from the OEM to Microsoft? | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID using a CSV file into Microsoft Partner Center, or use the OEM Direct API. |
| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment? | No. |
## CSV schema
@@ -57,72 +58,72 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| Question | Answer |
| --- | --- |
| Can a comma be used in the CSV file? | No. |
-| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the “In Microsoft Store for Business” section of this guide. |
+| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file? | See the In Microsoft Store for Business section of this guide. |
| Is there a limit to the number of devices that can be listed in the CSV file? | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files. |
-| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
+| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers? | We recommend encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune). |
## Hardware hash
| Question | Answer |
| --- | --- |
-| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement. |
-| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details? | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. |
-| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
-| What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid? | Yes. If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash. However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. |
+| Must every hardware hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address, and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)? | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit hardware hashes that meet the outlined requirement. |
+| What is the reason for needing the SMBIOS UUID, MAC Address, and Disk Serial Number in the hardware hash details? | For creating the hardware hash, these are the fields that are needed to identify a device, as parts of the device are added or removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device. |
+| What is difference between OA3 hardware hash, 4K hardware hash, and Windows Autopilot hardware hash? | None. They’re different names for the same thing. The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment. |
+| What is the thought around parts replacement and repair for the NIC (network interface controller) and Disk? Will the hardware hash become invalid? | Yes. If you replace parts, you need to gather the new hardware hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device and you must have new hardware hash. If you replace one network card, it’s probably not a new device, and the device will function with the old hardware hash. However, as a best practice, you should assume the old hardware hash is invalid and get a new hardware hash after any hardware changes. This is recommended anytime you replace parts. |
## Motherboard replacement
| Question | Answer |
| --- | --- |
-| How does Autopilot handle motherboard replacement scenarios?” | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.
To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID).
**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
+| How does Autopilot handle motherboard replacement scenarios? | Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image, as is the case today.
To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K hardware hash (or device ID).
**Note**: An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID. In this case, the OEM would either have to send the new 4K hardware hash information using a CSV file to customer, and let customer reregister the device using MSfB or Intune.|
## SMBIOS
| Question | Answer |
| --- | --- |
| Any specific requirement to SMBIOS UUID? | It must be unique as specified in the Windows 10 hardware requirements. |
-| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
-| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
+| What is the requirement on the SMBIOS table to meet the Windows Autopilot hardware hash need? | It must meet all the Windows 10 hardware requirements. Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx). |
+| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the hardware hash? | No. At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
## Technical interface
| Question | Answer |
| --- | --- |
-| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed. |
-| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used. |
+| What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #? | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with StorageDeviceProperty/PropertyStandardQuery. Network MAC address is IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS. However the method for performing this operation varies depending on the scenario. |
+| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number are on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen? | In short, all available values are used. In detail, there may be specific usage rules. The system disk serial number is more important than the other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, as both will be used. |
-## The end user experience
+## The end-user experience
|Question|Answer|
|----|-----|
|How do I know that I received Autopilot?|You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.|
-|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
-| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
-|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.|
-|What may be a reason why I did not receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
-|What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? |The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
-|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
+|Windows Autopilot didn’t work, what do I do now?| Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that Azure AD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information: run licensingdiag.exe and send the .cab (Cabinet) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from Windows Performance Recorder (WPR). Often in these cases, users are not signing into the right Azure AD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
+| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? |No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is reimaged or reset, the new profile settings will take effect the next time the device goes through OOBE.|
+|What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? |If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will not be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enroll that device into the MDM, after which the next time that device is reset, it will go through the Windows Autopilot OOBE experience.|
+|Why didn't I receive a customized sign-in screen during Autopilot? |Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.|
+|What happens if a device is registered with Azure AD but does not have a Windows Autopilot profile assigned? |The regular Azure AD OOBE will occur since no Windows Autopilot profile was assigned to the device.|
+|How can I collect logs on Autopilot?|The best way to collect logs on Windows Autopilot performance is to collect a WPR trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.|
## MDM
| Question | Answer |
| --- | --- |
-| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. |
+| Must we use Intune for our MDM? | No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. |
| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. |
| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
-| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. |
+| Must we use SCCM for Windows Autopilot | No. Co-management (described above) is optional. |
## Features
| Question | Answer |
| --- | --- |
-| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). |
+| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (for example, shared devices, or KIOSK devices). |
| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premises Active Directory domain controller (in addition to being Azure AD joined). |
-| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
-| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included |
-| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. |
+| Windows Autopilot reset | Removes user apps and settings from a device, but maintains Azure AD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
+| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created. A username hint can be added Sign-in page text can be personalized. The company’s logo can be included |
+| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Windows 7- and Windows 8-based devices. |
@@ -131,20 +132,20 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
|Question|Answer
|------------------|-----------------|
|If I wipe the machine and restart, will I still receive Windows Autopilot?|Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.|
-|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
-|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:
Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.
**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
+|Can I harvest the device fingerprint on existing machines?|Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.|
+|What is Windows 10, version 1703 7B and why does it matter?| Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients must run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:
Windows Autopilot will not apply its profiles to the machine unless Azure AD credentials match the expected Azure AD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same Azure AD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, you can determine that if the user signs into a domain with a tenant matching the one they registered with, you can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.
**Key takeaways**: When using pre-Windows 10, version 1703 7B clients the user’s domain must match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. |
|What is the impact of not updating to 7B?|See the detailed scenario described directly above.|
-|Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.|
-|Does Windows Autopilot work after MBR or image re-installation?|Yes.|
-| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
-|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.|
-|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
-|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.|
-|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:
1. OEM Direct API (only available to TVOs) 2. MPC via the MPC API (must be a CSP) 3. MPC via manual upload of CSV file in the UI (must be a CSP) 4. MSfB via CSV file upload 5. Intune via CSV file upload 6. Microsoft 365 Business portal via CSV file upload|
-|How many ways are there to create a Windows Autopilot profile?|There are four ways to create & assign an Windows Autopilot profile:
1. Through MPC (must be a CSP) 2. Through MSfB 3. Through Intune (or another MDM) 4. Microsoft 365 Business portal
Microsoft recommends creation and assignment of profiles through Intune. |
-| What are some common causes of registration failures? |1. Bad or missing Hardware hash entries can lead to faulty registration attempts 2. Hidden special characters in CSV files.
To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
+|Is Windows Autopilot supported on other SKUs, for example, Surface Hub, HoloLens, Windows Mobile.|No, Windows Autopilot isn’t supported on other SKUs.|
+|Does Windows Autopilot work after MBR or image reinstallation?|Yes.|
+| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. |There are limits to the number of devices a particular Azure AD user can enroll in Azure AD, as well as the number of devices that are supported per user in Intune. (These are configurable but not infinite.) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.|
+|What happens if a device is registered to a malicious agent? |By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile using the Azure AD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through Azure AD to the proper Azure AD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular Azure AD OOBE will occur.|
+|Where is the Windows Autopilot data stored? |Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the Azure AD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.|
+|Why is Windows Autopilot data stored in the US and not in a sovereign cloud?|It is not customer data that we store, but business data that enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service at any time, and, in that event, the business data is removed by Microsoft.|
+|How many ways are there to register a device for Windows Autopilot|There are six ways to register a device, depending on who is doing the registering:
1. OEM Direct API (only available to TVOs) 2. MPC using the MPC API (must be a CSP) 3. MPC using manual upload of CSV file in the UI (must be a CSP) 4. MSfB using CSV file upload 5. Intune using CSV file upload 6. Microsoft 365 Business portal using CSV file upload|
+|How many ways are there to create a Windows Autopilot profile?|There are four ways to create and assign a Windows Autopilot profile:
1. Through MPC (must be a CSP) 2. Through MSfB 3. Through Intune (or another MDM) 4. Microsoft 365 Business portal
Microsoft recommends creation and assignment of profiles through Intune. |
+| What are some common causes of registration failures? |1. Bad or missing hardware hash entries can lead to faulty registration attempts 2. Hidden special characters in CSV files.
To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
| Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.|
-| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using public Azure. Public Azure does not include the three entities listed below: - Azure Germany - Azure China - Azure Government So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China, the Contoso employees would not be able to use Autopilot.|
+| Is Autopilot supported in all regions/countries? | Autopilot only supports customers using global Azure. Global Azure does not include the three entities listed below: - Azure Germany - Azure China 21Vianet - Azure Government So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China 21Vianet, the Contoso employees would not be able to use Autopilot.|
## Glossary
@@ -156,8 +157,8 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| OEM | Original Equipment Manufacturer |
| CSP | Cloud Solution Provider |
| MSfB | Microsoft Store for Business |
-| AAD | Azure Active Directory |
-| 4K HH | 4K Hardware Hash |
+| Azure AD | Azure Active Directory |
+| 4K HH | 4K hardware hash |
| CBR | Computer Build Report |
| EC | Enterprise Commerce |
| DDS | Device Directory Service |
diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md
index 233173427b..7fd687321a 100644
--- a/windows/deployment/windows-autopilot/autopilot-support.md
+++ b/windows/deployment/windows-autopilot/autopilot-support.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot support
-description: Support information for Windows Autopilot
+description: Find out who to contact for help with your Windows Autopilot installation.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/windows-autopilot/autopilot-update.md b/windows/deployment/windows-autopilot/autopilot-update.md
new file mode 100644
index 0000000000..db4094b8a8
--- /dev/null
+++ b/windows/deployment/windows-autopilot/autopilot-update.md
@@ -0,0 +1,48 @@
+---
+title: Windows Autopilot update
+ms.reviewer:
+manager: laurawi
+description: Windows Autopilot update
+keywords: Autopilot, update, Windows 10
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot update
+
+**Applies to**
+
+- Windows 10, version 1903
+
+Windows Autopilot update enables you to get the latest Autopilot features and critical issue fixes without the need to move to latest Windows OS version. With Autopilot update, organizations can keep their current OS version and still benefit from new Autopilot features and bug fixes.
+
+During the Autopilot deployment process, Windows Autopilot update has been added as a new node after the critical [Windows Zero Day Patch (ZDP) update](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) check. During the update process, Windows Autopilot devices reach out to Windows Update to check for a new Autopilot update. If there is an Autopilot update available, the device will download and install the update, then restart automatically. See the following example.
+
+ 
+ 
+ 
+
+The following diagram illustrates a typical Windows Autopilot deployment orchestration during the Out of Box Experience (OOBE) with the new Windows Autopilot update node.
+
+ 
+
+## Release cadence
+
+- When an Autopilot update is available, it is typically released on the 4th Tuesday of the month. The update could be released on a different week if there is an exception.
+- A knowledge base (KB) article will also be published to document the changes that are included in the update.
+
+For a list of released updates, see [Autopilot update history](windows-autopilot-whats-new.md#windows-autopilot-update-history).
+
+## See also
+
+[Windows Update during OOBE](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe)
+[What's new in Windows Autopilot](windows-autopilot-whats-new.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index fbe94ff0da..a5c02be0ef 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot for existing devices
-description: Windows Autopilot deployment
+description: Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@@ -70,7 +70,7 @@ See the following examples.
Install-Module WindowsAutopilotIntune -Force
Install-Module Microsoft.Graph.Intune -Force
```
-
+
3. Enter the following lines and provide Intune administrative credentials
- Be sure that the user account you specify has sufficient administrative rights.
diff --git a/windows/deployment/windows-autopilot/images/update-flow.png b/windows/deployment/windows-autopilot/images/update-flow.png
new file mode 100644
index 0000000000..c90f54e96c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update-flow.png differ
diff --git a/windows/deployment/windows-autopilot/images/update1.png b/windows/deployment/windows-autopilot/images/update1.png
new file mode 100644
index 0000000000..83d98a29b5
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update1.png differ
diff --git a/windows/deployment/windows-autopilot/images/update2.png b/windows/deployment/windows-autopilot/images/update2.png
new file mode 100644
index 0000000000..04dbcaddc1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update2.png differ
diff --git a/windows/deployment/windows-autopilot/images/update3.png b/windows/deployment/windows-autopilot/images/update3.png
new file mode 100644
index 0000000000..851adb58ec
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/update3.png differ
diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md
index ae223e3032..93abebfa65 100644
--- a/windows/deployment/windows-autopilot/index.md
+++ b/windows/deployment/windows-autopilot/index.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot deployment
-description: Windows Autopilot deployment
+description: Discover resources for Windows Autopilot deployment with this guide.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index db8c0256dd..5be64cc194 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -2,7 +2,7 @@
title: Windows Autopilot known issues
ms.reviewer:
manager: laurawi
-description: Windows Autopilot deployment
+description: Inform yourself about known issues that may occur during Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md
index 6e54f66318..5cb74ed199 100644
--- a/windows/deployment/windows-autopilot/profiles.md
+++ b/windows/deployment/windows-autopilot/profiles.md
@@ -1,48 +1,49 @@
----
-title: Configure Autopilot profiles
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Configure Autopilot profiles
-
-**Applies to**
-
-- Windows 10
-
-For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
-
-## Profile settings
-
-The following profile settings are available:
-
-- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
-
-- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
-
-- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
-
-- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
-
-- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
-
-- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
-
-- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
-
-## Related topics
-
-[Profile download](troubleshooting.md#profile-download)
-[Registering devices](add-devices.md)
+---
+title: Configure Autopilot profiles
+description: Learn how to configure device profiles while performing a Windows Autopilot deployment.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Configure Autopilot profiles
+
+**Applies to**
+
+- Windows 10
+
+For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices).
+
+## Profile settings
+
+The following profile settings are available:
+
+- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
+
+- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
+
+- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
+
+- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
+
+- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
+
+- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
+
+- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
+
+## Related topics
+
+[Profile download](troubleshooting.md#profile-download)
+[Registering devices](add-devices.md)
diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md
index 9ae9105cbd..a91c17be27 100644
--- a/windows/deployment/windows-autopilot/registration-auth.md
+++ b/windows/deployment/windows-autopilot/registration-auth.md
@@ -1,81 +1,86 @@
----
-title: Windows Autopilot customer consent
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot customer consent
-
-**Applies to: Windows 10**
-
-This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
-
-## CSP authorization
-
-CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions:
-
-
-
Direct CSP
Gets direct authorization from the customer to register devices.
-
Indirect CSP Provider
Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
-
Indirect CSP Reseller
Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
-
-
-### Steps
-
-For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
-
-1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so:
- - CSP logs into Microsoft Partner Center
- - Click **Dashboard** on the top menu
- - Click **Customer** on the side menu
- - Click the **Request a reseller relationship** link:
- 
- - Select the checkbox indicating whether or not you want delegated admin rights:
- 
- - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
- - Send the template above to the customer via email.
-2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
-
- 
-
- NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
-
- 
-
-3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
-4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example:
-
-
-
-## OEM authorization
-
-Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
-
-1. OEM emails link to their customer.
-2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
-
- 
-
- NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
-
- 
-3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously.
-
-4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
-
-## Summary
-
-At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked.
-
+---
+title: Windows Autopilot customer consent
+description: Learn how a cloud service provider (CSP) partner or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot customer consent
+
+**Applies to: Windows 10**
+
+This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
+
+## CSP authorization
+
+CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions:
+
+
+
Direct CSP
Gets direct authorization from the customer to register devices.
+
Indirect CSP Provider
Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.
+
Indirect CSP Reseller
Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
+
+
+### Steps
+
+For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
+
+1. CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf. To do so:
+ - CSP logs into Microsoft Partner Center
+ - Click **Dashboard** on the top menu
+ - Click **Customer** on the side menu
+ - Click the **Request a reseller relationship** link:
+ 
+ - Select the checkbox indicating whether or not you want delegated admin rights:
+ 
+ - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
+ - Send the template above to the customer via email.
+2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
+
+ 
+
+ > [!NOTE]
+ > A user without global admin privileges who clicks the link will see a message similar to the following:
+
+ 
+
+3. Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
+4. The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example:
+
+
+
+## OEM authorization
+
+Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
+
+1. OEM emails link to their customer.
+2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
+
+ 
+
+ > [!NOTE]
+ > A user without global admin privileges who clicks the link will see a message similar to the following:
+
+ 
+3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously.
+
+4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
+
+ > [!NOTE]
+ > During the OEM authorization registration process, no delegated admin permissions are granted to the OEM.
+
+## Summary
+
+At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked.
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index ca49b045ee..4bdb15131d 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot Self-Deploying mode
-description: Windows Autopilot deployment
+description: Self-deploying mode allows a device to be deployed with little to no user interaction. This mode mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index f2e35ade30..63437b2ab3 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -1,6 +1,6 @@
---
title: Troubleshooting Windows Autopilot
-description: Windows Autopilot deployment
+description: Learn how to handle issues as they arise during the Windows Autopilot deployment process.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index ae6ae398bc..e8fdb8a2c2 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot User-Driven Mode
-description: Windows Autopilot deployment
+description: Windows Autopilot user-driven mode allows devices to be deployed to a ready-to-use state without requiring help from IT personnel.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index e11c96bd77..1b234651ad 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -2,7 +2,7 @@
title: Windows Autopilot requirements
ms.reviewer:
manager: laurawi
-description: Windows Autopilot deployment
+description: Inform yourself about software, networking, licensing, and configuration requirements for Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index d0424dce3f..e114e9f5ec 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -1,6 +1,6 @@
---
title: Windows Autopilot Reset
-description: Windows Autopilot deployment
+description: Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and easily.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
@@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
@@ -31,7 +32,9 @@ The Windows Autopilot Reset process automatically retains information from the e
- Azure Active Directory device membership and MDM enrollment information.
Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.
-
+When Autopilot reset is used on a device, the device's primary user will be removed. The next user who signs in after the reset will be set as the primary user.
+
+
>[!NOTE]
>The Autopilot Reset does not support Hybrid Azure AD joined devices.
@@ -84,7 +87,7 @@ Performing a local Windows Autopilot Reset is a two-step process: trigger it and
1. From the Windows device lock screen, enter the keystroke: **CTRL +  + R**.
- 
+ 
This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
index 5ee0171987..ab95bacbee 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -1,67 +1,70 @@
----
-title: Windows Autopilot scenarios and capabilities
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.reviewer: mniehaus
-manager: laurawi
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot scenarios and capabilities
-
-**Applies to: Windows 10**
-
-## Scenarios
-
-Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
-
-The following Windows Autopilot scenarios are described in this guide:
-
-| Scenario | More information |
-| --- | --- |
-| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
-| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
-| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
-| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
-| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
-
-## Windows Autopilot capabilities
-
-### Windows Autopilot is self-updating during OOBE
-
-Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
-
-### Cortana voiceover and speech recognition during OOBE
-
-In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
-
-If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
-
-HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
-
-The key value is a DWORD with **0** = disabled and **1** = enabled.
-
-| Value | Description |
-| --- | --- |
-| 0 | Cortana voiceover is disabled |
-| 1 | Cortana voiceover is enabled |
-| No value | Device will fall back to default behavior of the edition |
-
-To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
-
-### Bitlocker encryption
-
-With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
-
-## Related topics
-
-[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
+---
+title: Windows Autopilot scenarios and capabilities
+description: Follow along with several typical Windows Autopilot deployment scenarios, such as re-deploying a device in a business-ready state.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.reviewer: mniehaus
+manager: laurawi
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot scenarios and capabilities
+
+**Applies to: Windows 10**
+
+## Scenarios
+
+Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management).
+
+The following Windows Autopilot scenarios are described in this guide:
+
+| Scenario | More information |
+| --- | --- |
+| Deploy devices that will be set up by a member of the organization and configured for that person | [Windows Autopilot user-driven mode](user-driven.md) |
+| Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.| [Windows Autopilot self-deploying mode](self-deploying.md) |
+| Re-deploy a device in a business-ready state.| [Windows Autopilot Reset](windows-autopilot-reset.md) |
+| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
+| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
+
+## Windows Autopilot capabilities
+
+### Windows Autopilot is self-updating during OOBE
+
+Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates.
+
+See [Windows Autopilot update](autopilot-update.md) for more information.
+
+### Cortana voiceover and speech recognition during OOBE
+
+In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs.
+
+If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default.
+
+HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions
+
+The key value is a DWORD with **0** = disabled and **1** = enabled.
+
+| Value | Description |
+| --- | --- |
+| 0 | Cortana voiceover is disabled |
+| 1 | Cortana voiceover is enabled |
+| No value | Device will fall back to default behavior of the edition |
+
+To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce).
+
+### Bitlocker encryption
+
+With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md)
+
+## Related topics
+
+[Windows Autopilot: What's new](windows-autopilot-whats-new.md)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
index 36ee6c06ad..b10120467d 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
@@ -1,51 +1,58 @@
----
-title: Windows Autopilot what's new
-ms.reviewer:
-manager: laurawi
-description: Windows Autopilot deployment
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.author: greglin
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-
-# Windows Autopilot: What's new
-
-**Applies to**
-
-- Windows 10
-
-## New in Windows 10, version 1903
-
-[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
-
-
-
-> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
-
-Also new in this version of Windows:
-- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.
-
-## New in Windows 10, version 1809
-
-Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
-
->[!NOTE]
->Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
-
-## Related topics
-
-[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
-[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/)
+---
+title: Windows Autopilot what's new
+ms.reviewer:
+manager: laurawi
+description: Read news and resources about the latest updates and past versions of Windows Autopilot.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: deploy
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+
+# Windows Autopilot: What's new
+
+**Applies to**
+
+- Windows 10
+
+## Windows Autopilot update history
+
+The following [Windows Autopilot updates](autopilot-update.md) are available. **Note**: Updates are automatically downloaded and applied during the Windows Autopilot deployment process.
+
+No updates are available yet. Check back here later for more information.
+
+## New in Windows 10, version 1903
+
+[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:
+
+
+
+> [!VIDEO https://www.youtube.com/embed/nE5XSOBV0rI]
+
+Also new in this version of Windows:
+- The Intune enrollment status page (ESP) now tracks Intune Management Extensions.
+- [Cortana voiceover and speech recognition during OOBE](windows-autopilot-scenarios.md#cortana-voiceover-and-speech-recognition-during-oobe) is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- [Windows Autopilot is self-updating during OOBE](windows-autopilot-scenarios.md#windows-autopilot-is-self-updating-during-oobe). Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot will set the diagnostics data level to Full on Windows 10 version 1903 and later during OOBE.
+
+## New in Windows 10, version 1809
+
+Windows Autopilot [self-deploying mode](self-deploying.md) enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured by Windows Autopilot. This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
+
+>[!NOTE]
+>Window 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.
+
+## Related topics
+
+[What's new in Microsoft Intune](https://docs.microsoft.com/intune/whats-new)
+[What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
index 04f3d13f0c..7079e66d14 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot.md
@@ -1,6 +1,6 @@
---
title: Overview of Windows Autopilot
-description: Windows Autopilot deployment
+description: Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.reviewer: mniehaus
manager: laurawi
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 72b8aaf445..8c74c372fe 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -1,6 +1,6 @@
---
title: Windows 10 deployment scenarios and tools
-description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
+description: Learn about the tools you can use to deploy Windows 10 and related applications to your organization. Explore deployment scenarios.
ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
manager: laurawi
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index b850fee41f..07a8ea153b 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -46,7 +46,8 @@
"depot_name": "MSDN.windows-hub",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "titleSuffix": "Windows 10 for IT Pros"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index fc00e91cc2..555eb005b1 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1703.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 14db4d2683..1cecae9cf2 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1709.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index d6eb2975ad..94306ce392 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1803.
title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index b5c02de9bd..65bf5e307f 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1809.
title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 824be067b1..894a0dd764 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1903.
title: Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
@@ -8,12 +8,12 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
-ms.author: dansimp
+ms.author: brianlic
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 12/04/2019
+ms.date: 12/10/2019
---
@@ -21,8 +21,8 @@ ms.date: 12/04/2019
**Applies to**
-- Windows 10, version 1903
- Windows 10, version 1909
+- Windows 10, version 1903
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
@@ -42,11 +42,13 @@ You can learn more about Windows functional and diagnostic data through these ar
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+
## AppLocker events
### Microsoft.Windows.Security.AppLockerCSP.AddParams
-Parameters passed to Add function of the AppLockerCSP Node.
+This event indicates the parameters passed to the Add function of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -56,13 +58,13 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.AddStart
-Start of "Add" Operation for the AppLockerCSP Node.
+This event indicates the start of an Add operation for the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
### Microsoft.Windows.Security.AppLockerCSP.AddStop
-End of "Add" Operation for AppLockerCSP Node.
+This event indicates the end of an Add operation for the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -71,7 +73,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Commit
-This event returns information about the “Commit” operation in AppLockerCSP.
+This event returns information about the Commit operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure..
The following fields are available:
@@ -81,7 +83,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
-Result of the 'Rollback' operation in AppLockerCSP.
+This event provides the result of the Rollback operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -91,7 +93,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.ClearParams
-Parameters passed to the "Clear" operation for AppLockerCSP.
+This event provides the parameters passed to the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -100,40 +102,22 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.ClearStart
-Start of the "Clear" operation for the AppLockerCSP Node.
+This event indicates the start of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
### Microsoft.Windows.Security.AppLockerCSP.ClearStop
-End of the "Clear" operation for the AppLockerCSP node.
+This event indicates the end of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
- **hr** HRESULT reported at the end of the 'Clear' function.
-### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart
-
-Start of the "ConfigManagerNotification" operation for AppLockerCSP.
-
-The following fields are available:
-
-- **NotifyState** State sent by ConfigManager to AppLockerCSP.
-
-
-### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop
-
-End of the "ConfigManagerNotification" operation for AppLockerCSP.
-
-The following fields are available:
-
-- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP.
-
-
### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
-Parameters passed to the CreateNodeInstance function of the AppLockerCSP node.
+This event provides the parameters that were passed to the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -144,13 +128,13 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
-Start of the "CreateNodeInstance" operation for the AppLockerCSP node.
+This event indicates the start of the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
-End of the "CreateNodeInstance" operation for the AppLockerCSP node
+This event indicates the end of the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -159,7 +143,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
-Parameters passed to the DeleteChild function of the AppLockerCSP node.
+This event provides the parameters passed to the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -169,13 +153,13 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
-Start of the "DeleteChild" operation for the AppLockerCSP node.
+This event indicates the start of the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
-End of the "DeleteChild" operation for the AppLockerCSP node.
+This event indicates the end of the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -184,7 +168,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
-Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present.
+This event provides the logged Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker if the plug-in GUID is null or the Configuration Service Provider (CSP) doesn't believe the old policy is present.
The following fields are available:
@@ -193,7 +177,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
-Parameters passed to the GetChildNodeNames function of the AppLockerCSP node.
+This event provides the parameters passed to the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -202,13 +186,13 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
-Start of the "GetChildNodeNames" operation for the AppLockerCSP node.
+This event indicates the start of the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
-End of the "GetChildNodeNames" operation for the AppLockerCSP node.
+This event indicates the end of the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -219,7 +203,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.GetLatestId
-The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID).
+This event provides the latest time-stamped unique identifier in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -229,7 +213,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.HResultException
-HRESULT thrown by any arbitrary function in AppLockerCSP.
+This event provides the result code (HRESULT) generated by any arbitrary function in the AppLocker Configuration Service Provider (CSP).
The following fields are available:
@@ -239,26 +223,9 @@ The following fields are available:
- **line** Line in the file in the OS code base in which the exception occurs.
-### Microsoft.Windows.Security.AppLockerCSP.IsDependencySatisfiedStart
-
-Indicates the start of a call to the IsDependencySatisfied function in the Configuration Service Provider (CSP).
-
-
-
-### Microsoft.Windows.Security.AppLockerCSP.IsDependencySatisfiedStop
-
-Indicates the end of an IsDependencySatisfied function call in the Configuration Service Provider (CSP).
-
-The following fields are available:
-
-- **edpActive** Indicates whether enterprise data protection is active.
-- **hr** HRESULT that is reported.
-- **internalHr** Internal HRESULT that is reported.
-
-
### Microsoft.Windows.Security.AppLockerCSP.SetValueParams
-Parameters passed to the SetValue function of the AppLockerCSP node.
+This event provides the parameters that were passed to the SetValue operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
@@ -268,7 +235,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.SetValueStart
-Start of the "SetValue" operation for the AppLockerCSP node.
+This event indicates the start of the SetValue operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure.
@@ -283,7 +250,7 @@ The following fields are available:
### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
-EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed.
+This event provides information for fixing a policy in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. It includes Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker that needs to be fixed.
The following fields are available:
@@ -298,132 +265,207 @@ This event lists the types of objects and how many of each exist on the client d
The following fields are available:
-- **DatasourceApplicationFile_19A** The count of the number of this particular object type present on this device.
-- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device.
-- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device.
-- **DatasourceDevicePnp_19A** The count of the number of this particular object type present on this device.
-- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_19A** The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
+- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoBlock_19A** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_19A** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_19A** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPoltUpgrade_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_19A** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
+- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_19A** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device.
-- **DecisionDevicePnp_19A** The count of the number of this particular object type present on this device.
-- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device.
-- **DecisionDriverPackage_19A** The count of the number of this particular object type present on this device.
-- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoBlock_19A** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_19A** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPostUpgrade_19A** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPoltUpgrade_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device.
-- **DecisionMediaCenter_19A** The count of the number of this particular object type present on this device.
-- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device.
-- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device.
-- **DecisionSystemBios_19A** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_19ASetup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
+- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
+- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device.
+- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device.
+- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventorySystemMachine** The count of the number of this particular object type present on this device.
+- **InventorySystemProcessor** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
- **PCFP** The count of the number of this particular object type present on this device.
- **SystemMemory** The count of the number of this particular object type present on this device.
@@ -436,13 +478,16 @@ The following fields are available:
- **SystemWim** The total number of objects of this type present on this device.
- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
- **SystemWlan** The total number of objects of this type present on this device.
-- **Wmdrm_19A** The count of the number of this particular object type present on this device.
-- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device.
- **Wmdrm_19H1** The count of the number of this particular object type present on this device.
- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_20H1** The count of the number of this particular object type present on this device.
+- **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
- **Wmdrm_RS5** The count of the number of this particular object type present on this device.
-- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device.
+- **Wmdrm_TH1** The count of the number of this particular object type present on this device.
- **Wmdrm_TH2** The count of the number of this particular object type present on this device.
@@ -460,7 +505,7 @@ The following fields are available:
- **HasCitData** Indicates whether the file is present in CIT data.
- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
- **IsAv** Is the file an anti-virus reporting EXE?
-- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
@@ -564,7 +609,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -586,7 +631,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -608,7 +653,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -630,7 +675,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event sends compatibility database information about the BIOS to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -652,7 +697,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
-This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event sends compatibility decision data about a file to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -704,7 +749,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
-This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1108,7 +1153,29 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemProcessorEndSync
+
+This event indicates that a full set of InventorySystemProcessorAdd events has been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemProcessorStartSync
+
+This event indicates that a new set of InventorySystemProcessorAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events.
### Microsoft.Windows.Appraiser.General.InventoryTestRemove
@@ -1198,7 +1265,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1251,7 +1318,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1275,7 +1342,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1407,6 +1474,17 @@ The following fields are available:
- **WindowsNotActivatedDecision** Is the current operating system activated?
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
@@ -1420,7 +1498,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanAdd
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1448,18 +1526,18 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
The following fields are available:
- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
- **AuxFinal** Obsolete, always set to false.
- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
- **InboxDataVersion** The original version of the data files before retrieving any newer version.
- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated.
@@ -1468,15 +1546,15 @@ The following fields are available:
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser telemetry run.
+- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser diagnostic data run.
- **ScheduledUploadDay** The day scheduled for the upload.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
- **StoreHandleIsNotNull** Obsolete, always set to false
-- **TelementrySent** Indicates if telemetry was successfully sent.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **TelementrySent** Indicates whether diagnostic data was successfully sent.
+- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
- **Time** The client time of the event.
- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
@@ -1656,7 +1734,7 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
@@ -1679,7 +1757,7 @@ This event sends Windows Insider data from customers participating in improvemen
The following fields are available:
- **DeviceSampleRate** The telemetry sample rate assigned to the device.
-- **DriverTargetRing** Indicates if the device is participating in receiving pre-release drivers and firmware content.
+- **DriverTargetRing** Indicates if the device is participating in receiving pre-release drivers and firmware contrent.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
- **FlightIds** A list of the different Windows Insider builds on this device.
- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
@@ -1698,6 +1776,7 @@ The following fields are available:
- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
- **D3DMaxFeatureLevel** Supported Direct3D version.
+- **DeviceColor** Indicates a color of the device.
- **DeviceForm** Indicates the form as per the device classification.
- **DeviceName** The device name that is set by the user.
- **DigitizerSupport** Is a digitizer supported?
@@ -1817,18 +1896,14 @@ The following fields are available:
- **AdvertisingId** Current state of the advertising ID setting.
- **AppDiagnostics** Current state of the app diagnostics setting.
- **Appointments** Current state of the calendar setting.
-- **AppointmentsSystem** Current state of the calendar setting.
- **Bluetooth** Current state of the Bluetooth capability setting.
- **BluetoothSync** Current state of the Bluetooth sync capability setting.
- **BroadFileSystemAccess** Current state of the broad file system access setting.
- **CellularData** Current state of the cellular data capability setting.
- **Chat** Current state of the chat setting.
-- **ChatSystem** Current state of the chat setting.
- **Contacts** Current state of the contacts setting.
-- **ContactsSystem** Current state of the Contacts setting.
- **DocumentsLibrary** Current state of the documents library setting.
- **Email** Current state of the email setting.
-- **EmailSystem** Current state of the email setting.
- **FindMyDevice** Current state of the "find my device" setting.
- **GazeInput** Current state of the gaze input setting.
- **HumanInterfaceDevice** Current state of the human interface device setting.
@@ -1840,7 +1915,6 @@ The following fields are available:
- **Microphone** Current state of the microphone setting.
- **PhoneCall** Current state of the phone call setting.
- **PhoneCallHistory** Current state of the call history setting.
-- **PhoneCallHistorySystem** Current state of the call history setting.
- **PicturesLibrary** Current state of the pictures library setting.
- **Radios** Current state of the radios setting.
- **SensorsCustom** Current state of the custom sensor setting.
@@ -1850,7 +1924,6 @@ The following fields are available:
- **USB** Current state of the USB setting.
- **UserAccountInformation** Current state of the account information setting.
- **UserDataTasks** Current state of the tasks setting.
-- **UserDataTasksSystem** Current state of the tasks setting.
- **UserNotificationListener** Current state of the notifications setting.
- **VideosLibrary** Current state of the videos library setting.
- **Webcam** Current state of the camera setting.
@@ -1936,8 +2009,9 @@ This event sends data about the current user's default preferences for browser a
The following fields are available:
- **CalendarType** The calendar identifiers that are used to specify different calendars.
-- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
+- **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
- **LongDateFormat** The long date format the user has selected.
- **ShortDateFormat** The short date format the user has selected.
@@ -1988,18 +2062,14 @@ The following fields are available:
- **AdvertisingId** Current state of the advertising ID setting.
- **AppDiagnostics** Current state of the app diagnostics setting.
- **Appointments** Current state of the calendar setting.
-- **AppointmentsSystem** Current state of the calendar setting.
- **Bluetooth** Current state of the Bluetooth capability setting.
- **BluetoothSync** Current state of the Bluetooth sync capability setting.
- **BroadFileSystemAccess** Current state of the broad file system access setting.
- **CellularData** Current state of the cellular data capability setting.
- **Chat** Current state of the chat setting.
-- **ChatSystem** Current state of the chat setting.
- **Contacts** Current state of the contacts setting.
-- **ContactsSystem** Current state of the Contacts setting.
- **DocumentsLibrary** Current state of the documents library setting.
- **Email** Current state of the email setting.
-- **EmailSystem** Current state of the email setting.
- **GazeInput** Current state of the gaze input setting.
- **HumanInterfaceDevice** Current state of the human interface device setting.
- **InkTypeImprovement** Current state of the improve inking and typing setting.
@@ -2011,7 +2081,6 @@ The following fields are available:
- **Microphone** Current state of the microphone setting.
- **PhoneCall** Current state of the phone call setting.
- **PhoneCallHistory** Current state of the call history setting.
-- **PhoneCallHistorySystem** Current state of the call history setting.
- **PicturesLibrary** Current state of the pictures library setting.
- **Radios** Current state of the radios setting.
- **SensorsCustom** Current state of the custom sensor setting.
@@ -2021,7 +2090,6 @@ The following fields are available:
- **USB** Current state of the USB setting.
- **UserAccountInformation** Current state of the account information setting.
- **UserDataTasks** Current state of the tasks setting.
-- **UserDataTasksSystem** Current state of the tasks setting.
- **UserNotificationListener** Current state of the notifications setting.
- **VideosLibrary** Current state of the videos library setting.
- **Webcam** Current state of the camera setting.
@@ -2041,6 +2109,7 @@ The following fields are available:
- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+- **VMId** A string that uniquely identifies a virtual machine.
### Census.WU
@@ -2308,6 +2377,38 @@ The following fields are available:
- **pendingDecision** Indicates the cause of reboot, if applicable.
+### CbsServicingProvider.CbsLateAcquisition
+
+This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Features** The list of feature packages that could not be updated.
+- **RetryID** The ID identifying the retry attempt to update the listed packages.
+
+
+### CbsServicingProvider.CbsPackageRemoval
+
+This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build number of the security update being uninstalled.
+- **clientId** The name of the application requesting the uninstall.
+- **currentStateEnd** The final state of the update after the operation.
+- **failureDetails** Information about the cause of a failure, if applicable.
+- **failureSourceEnd** The stage during the uninstall where the failure occurred.
+- **hrStatusEnd** The overall exit code of the operation.
+- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image.
+- **majorVersion** The major version number of the security update being uninstalled.
+- **minorVersion** The minor version number of the security update being uninstalled.
+- **originalState** The starting state of the update before the operation.
+- **pendingDecision** Indicates the cause of reboot, if applicable.
+- **primitiveExecutionContext** The state during system startup when the uninstall was completed.
+- **revisionVersion** The revision number of the security update being uninstalled.
+- **transactionCanceled** Indicates whether the uninstall was cancelled.
+
+
### CbsServicingProvider.CbsQualityUpdateInstall
This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
@@ -2379,6 +2480,12 @@ The following fields are available:
- **updateTargetState** A value indicating the desired state of the optional content.
+### CbsServicingProvider.CbsUpdateDeferred
+
+This event reports the results of deferring Windows Content to keep Windows up to date.
+
+
+
## Diagnostic data events
### TelClientSynthetic.AbnormalShutdown_0
@@ -2427,7 +2534,6 @@ The following fields are available:
- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed.
- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
-- **RegKeyLastShutdownBootId** The last recorded boot ID.
- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
@@ -2484,7 +2590,6 @@ The following fields are available:
- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
-- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise.
- **CanReportScenarios** True if we can report scenario completions, false otherwise.
- **PreviousPermissions** Bitmask of previous telemetry state.
- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
@@ -2492,7 +2597,7 @@ The following fields are available:
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
The following fields are available:
@@ -2505,22 +2610,6 @@ The following fields are available:
- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
-### TelClientSynthetic.EventMonitor_0
-
-This event provides statistics for specific diagnostic events.
-
-The following fields are available:
-
-- **ConsumerCount** The number of instances seen in the Event Tracing for Windows consumer.
-- **EventName** The name of the event being monitored.
-- **EventSnFirst** The expected first event serial number.
-- **EventSnLast** The expected last event serial number.
-- **EventStoreCount** The number of events reaching the event store.
-- **MonitorSn** The serial number of the monitor.
-- **TriggerCount** The number of events reaching the trigger buffer.
-- **UploadedCount** The number of events uploaded.
-
-
### TelClientSynthetic.GetFileInfoAction_FilePathNotApproved_0
This event occurs when the DiagTrack escalation fails due to the scenario requesting a path that is not approved for GetFileInfo actions.
@@ -2528,8 +2617,6 @@ This event occurs when the DiagTrack escalation fails due to the scenario reques
The following fields are available:
- **FilePath** The unexpanded path in the scenario XML.
-- **FilePathExpanded** The file path, with environment variables expanded.
-- **FilePathExpandedScenario** The file path, with property identifiers and environment variables expanded.
- **ScenarioId** The globally unique identifier (GUID) of the scenario.
- **ScenarioInstanceId** The error code denoting which path failed (internal or external).
@@ -2613,7 +2700,7 @@ The following fields are available:
### TelClientSynthetic.HeartBeat_DevHealthMon_5
-This event sends data (for Surface Hub devices) to monitor and ensure the correct functioning of those Surface Hub devices. This data helps ensure the device is up-to-date with the latest security and safety features.
+This event sends data (for Surface Hub devices) to monitor and ensure the correct functioning of those Surface Hub devices. This data helps ensure the device is up to date with the latest security and safety features.
The following fields are available:
@@ -2722,6 +2809,89 @@ This event is a low latency health alert that is part of the 4Nines device healt
+## DISM events
+
+### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
+
+The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot.
+
+The following fields are available:
+
+- **dismInstalledLCUPackageName** The name of the latest installed package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMPendingInstall
+
+The DISM Pending Install event sends information to report pending package installation found.
+
+The following fields are available:
+
+- **dismPendingInstallPackageName** The name of the pending package.
+
+
+### Microsoft.Windows.StartRepairCore.DISMRevertPendingActions
+
+The DISM Pending Install event sends information to report pending package installation found.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.DISMUninstallLCU
+
+The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd
+
+The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **failedUninstallCount** The number of driver updates that failed to uninstall.
+- **failedUninstallFlightIds** The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRepairAction** The scenario name for a repair.
+- **successfulUninstallCount** The number of successfully uninstalled driver updates.
+- **successfulUninstallFlightIds** The Flight IDs (identifiers of beta releases) of successfully uninstalled driver updates.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionStart
+
+The SRT Repair Action Start event sends information to report repair operation started for given plug-in.
+
+The following fields are available:
+
+- **srtRepairAction** The scenario name for a repair.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
+
+The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **flightIds** The Flight IDs (identifier of the beta release) of found driver updates.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
+
+The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in.
+
+The following fields are available:
+
+- **srtRootCauseDiag** The scenario name for a diagnosis event.
+
+
## Driver installation events
### Microsoft.Windows.DriverInstall.DeviceInstall
@@ -2736,6 +2906,7 @@ The following fields are available:
- **CoInstallers** The list of coinstallers.
- **ConfigFlags** The device configuration flags.
- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration.
+- **DeviceInstalled** Indicates whether the legacy install code path was used.
- **DeviceInstanceId** The unique identifier of the device in the system.
- **DeviceStack** The device stack of the driver being installed.
- **DriverDate** The date of the driver.
@@ -2760,6 +2931,7 @@ The following fields are available:
- **Inbox** Indicates whether the driver package is included with Windows.
- **InstallDate** The date the driver was installed.
- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description.
+- **LastInstallFunction** The last install function invoked in a co-installer if the install timeout was reached while a co-installer was executing.
- **LegacyInstallReasonError** The error code for the legacy installation.
- **LowerFilters** The list of lower filter drivers.
- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance.
@@ -2769,8 +2941,10 @@ The following fields are available:
- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted.
- **Problem** Error code returned by the device after installation.
- **ProblemStatus** The status of the device after the driver installation.
+- **RebootRequiredReason** DWORD (Double Word—32-bit unsigned integer) containing the reason why the device required a reboot during install.
- **SecondaryDevice** Indicates whether the device is a secondary device.
- **ServiceName** The service name of the driver.
+- **SessionGuid** GUID (Globally Unique IDentifier) for the update session.
- **SetupMode** Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was completed.
- **StartTime** The time when the installation started.
- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center.
@@ -2789,6 +2963,7 @@ The following fields are available:
- **FlightId** The ID of the Windows Insider build the device received.
- **InstallDate** The date the driver was installed.
- **InstallFlags** The driver installation flags.
+- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.)
- **RebootRequired** Indicates whether a reboot is required after the installation.
- **RollbackPossible** Indicates whether this driver can be rolled back.
- **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update.
@@ -2832,10 +3007,12 @@ The following fields are available:
- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **Display1UMDFilePath** File path to the location of the Display User Mode Driver in the Driver Store.
- **DisplayAdapterLuid** The display adapter LUID.
- **DriverDate** The date of the display driver.
- **DriverRank** The rank of the display driver.
- **DriverVersion** The display driver version.
+- **DriverWorkarounds** Numeric value indicating the driver workarounds enabled for this device.
- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
@@ -2846,6 +3023,7 @@ The following fields are available:
- **GPUVendorID** The GPU vendor ID.
- **InterfaceId** The GPU interface ID.
- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **IsHwSchEnabled** Boolean value indicating whether hardware scheduling is enabled.
- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling.
- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
@@ -2977,6 +3155,24 @@ The following fields are available:
- **TargetAsId** The sequence number for the hanging process.
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
+
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
+
+The following fields are available:
+
+- **failureReason** Provides data about the uninstall initialization operation failure.
+- **hr** Provides the Win32 error code for the operation failure.
+
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
+
+This event indicates that the uninstall was properly configured and that a system reboot was initiated.
+
+
+
## Hang Reporting events
### Microsoft.Windows.HangReporting.AppHangEvent
@@ -3005,6 +3201,94 @@ The following fields are available:
- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
+## Holographic events
+
+### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded
+
+This event indicates Windows Mixed Reality device state. This event is also used to count WMR device.
+
+The following fields are available:
+
+- **ClassGuid** Windows Mixed Reality device class GUID.
+- **DeviceInterfaceId** Windows Mixed Reality device interface ID.
+- **DeviceName** Windows Mixed Reality device name.
+- **DriverVersion** Windows Mixed Reality device driver version.
+- **FirmwareVersion** Windows Mixed Reality firmware version.
+- **Manufacturer** Windows Mixed Reality device manufacturer.
+- **ModelName** Windows Mixed Reality device model name.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+### Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated
+
+This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device.
+
+The following fields are available:
+
+- **HmdState** Windows Mixed Reality Headset HMD state.
+- **NewHoloShellState** Windows Mixed Reality HoloShell state.
+- **PriorHoloShellState** Windows Mixed Reality state prior to entering to HoloShell.
+- **SimulationEnabled** Windows Mixed Reality Simulation state.
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
+
+This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device.
+
+The following fields are available:
+
+- **IsDemoMode** Windows Mixed Reality Portal app state of demo mode.
+- **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion.
+- **PackageVersion** Windows Mixed Reality Portal app package version.
+- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state.
+- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity).
+
+
+### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
+
+This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device.
+
+
+
+### TraceLoggingOasisUsbHostApiProvider.DeviceInformation
+
+This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type.
+
+The following fields are available:
+
+- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version.
+- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version.
+- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number.
+- **BTHFWMajorVer** Windows Mixed Reality device BTHFW major version. This event also used to count WMR device.
+- **BTHFWMinorVer** Windows Mixed Reality device BTHFW minor version. This event also used to count WMR device.
+- **BTHFWRevisionNumber** Windows Mixed Reality device BTHFW revision number.
+- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size.
+- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version.
+- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version.
+- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number.
+- **DeviceInfoFlags** Windows Mixed Reality device info flags.
+- **DeviceName** Windows Mixed Reality device Name. This event is also used to count WMR device.
+- **DeviceReleaseNumber** Windows Mixed Reality device release number.
+- **FirmwareMajorVer** Windows Mixed Reality device firmware major version.
+- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version.
+- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number.
+- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version.
+- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version.
+- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number.
+- **FriendlyName** Windows Mixed Reality device friendly name.
+- **HashedSerialNumber** Windows Mixed Reality device hashed serial number.
+- **HeaderSize** Windows Mixed Reality device header size.
+- **HeaderVersion** Windows Mixed Reality device header version.
+- **LicenseKey** Windows Mixed Reality device header license key.
+- **Make** Windows Mixed Reality device make.
+- **ManufacturingDate** Windows Mixed Reality device manufacturing date.
+- **Model** Windows Mixed Reality device model.
+- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page.
+- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage.
+- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId.
+- **ProductBoardRevision** Windows Mixed Reality device product board revision number.
+- **SerialNumber** Windows Mixed Reality device serial number.
+
+
## Inventory events
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
@@ -3043,6 +3327,7 @@ The following fields are available:
- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache
- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache
- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache
+- **InventoryVersion** The version of the inventory file generating the events.
- **Metadata** A count of metadata objects in cache.
- **Orphan** A count of orphan file objects in cache.
- **Programs** A count of program objects in cache.
@@ -3326,7 +3611,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
-This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3510,12 +3795,18 @@ The following fields are available:
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin.
+The following fields are available:
+
+- **key** The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end.
+The following fields are available:
+
+- **key** The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
@@ -3538,6 +3829,7 @@ The following fields are available:
- **FullPath** The full path to the Microsoft Office add-in.
- **InventoryVersion** The version of the inventory binary generating the events.
- **LoadBehavior** Integer that describes the load behavior.
+- **LoadTime** Load time for the Office add-in.
- **OfficeApplication** The Microsoft Office application associated with the add-in.
- **OfficeArchitecture** The architecture of the add-in.
- **OfficeVersion** The Microsoft Office version for this add-in.
@@ -3547,6 +3839,7 @@ The following fields are available:
- **ProductVersion** The version associated with the Office add-in.
- **ProgramId** The unique program identifier of the Microsoft Office add-in.
- **Provider** Name of the provider for this add-in.
+- **Usage** Data about usage for the add-in.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
@@ -3708,10 +4001,10 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **BrowserFlags** Browser flags for Office-related products
-- **ExchangeProviderFlags** Provider policies for Office Exchange
+- **BrowserFlags** Browser flags for Office-related products.
+- **ExchangeProviderFlags** Provider policies for Office Exchange.
- **InventoryVersion** The version of the inventory binary generating the events.
-- **SharedComputerLicensing** Office shared computer licensing policies
+- **SharedComputerLicensing** Office shared computer licensing policies.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
@@ -3932,11 +4225,11 @@ The following fields are available:
- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb.
- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb.
+- **MeasuredLaunchCapable** Indicates the system is capable of booting with Dynamic Root of Trust for Measurement (DRTM) support.
- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement).
- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation.
- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
- **RecoveryEnabled** Indicates whether recovery is enabled.
-- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot.
- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow.
- **UserInputTime** The amount of time the loader application spent waiting for user input.
@@ -3994,6 +4287,204 @@ The following fields are available:
- **ServiceName** The driver or service name that is attached to the device.
+### Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown
+
+This event sends Product and Service Performance data on which area of the device exceeded safe temperature limits and caused the device to shutdown. This information is used to ensure devices are behaving as they are expected to.
+
+The following fields are available:
+
+- **temperature** Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that exceeded the limit.
+- **thermalZone** Contains an identifier that specifies which area it was that exceeded temperature limits.
+
+
+## Microsoft Edge events
+
+### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version** The internal Microsoft Edge build version string.
+- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version** The internal Microsoft Edge build version string.
+- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
+
+This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version** The internal Microsoft Edge build version string.
+- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version** The internal Microsoft Edge build version string.
+- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date.
+
+The following fields are available:
+
+- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''.
+- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
+- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
+- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. Default: '-2' (Unknown).
+- **appExperiments** A semicolon-delimited key/value list of experiment identifiers and treatment groups. This field is unused and always empty in Edge Update. Default: ''.
+- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appNextVersion** The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
+- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult** An enumeration indicating the result of the event. Common values are '0' (Error) and '1' (Success). Default: '0' (Error).
+- **appPingEventEventType** An enumeration indicating the type of the event and the event stage. Default: '0' (Unknown).
+- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventSequenceId** An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a tag.
+- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This field is unused by Edge Update and always empty. Default: ''.
+- **appVersion** The version of the product install. Default: '0.0.0.0'.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **eventType** A string representation of appPingEventEventType indicating the type of the event.
+- **hwHasAvx** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
+- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined** '1' if the device is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients MUST always transmit this attribute. Default: undefined.
+- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Default: ''.
+- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique sessionid. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt should have (with high probability) a unique request id. Default: ''.
+
+
+### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version** The internal Microsoft Edge build version string.
+- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
+- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode.
+- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
+- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
## Migration events
### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
@@ -4105,6 +4596,23 @@ The following fields are available:
- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol.
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **CurrentOneDriveVersion** The current version of OneDrive.
+- **CurrentOSBuildBranch** The current branch of the operating system.
+- **CurrentOSBuildNumber** The current build number of the operating system.
+- **CurrentOSVersion** The current version of the operating system.
+- **HResult** The HResult of the operation.
+- **SourceOSBuildBranch** The source branch of the operating system.
+- **SourceOSBuildNumber** The source build number of the operating system.
+- **SourceOSVersion** The source version of the operating system.
+
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -4325,15 +4833,6 @@ The following fields are available:
- **timestamp** Timestamp of this push-button reset event.
-### Microsoft.Windows.PBR.PBRClearRollBackEntry
-
-This event is sent when the push-button reset operation clears the rollback entry. Push-button reset cannot rollback after this point.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PBRClearTPMFailed
This event is sent when there was a failure while clearing the Trusted Platform Module (TPM).
@@ -4357,27 +4856,6 @@ The following fields are available:
- **SPPhase** The last phase of the Setup Platform operation.
-### Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionSucceed
-
-This event is sent when the push-button reset operation succeeds in constructing a new copy of the operating system.
-
-The following fields are available:
-
-- **CBSPackageCount** The Component Based Servicing package count.
-- **CustomizationPackageCount** The Customization package count.
-- **PBRType** The type of push-button reset.
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRDriverInjectionFailed
-
-This event is sent when the driver injection fails.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PBRFailed
This event is sent when the push-button reset operation fails and rolls back to the previous state.
@@ -4389,28 +4867,6 @@ The following fields are available:
- **SessionID** The ID of this push-button reset session.
-### Microsoft.Windows.PBR.PBRFinalizeNewSystemFailed
-
-This event is sent when the push-button reset operation fails to finalize the new system.
-
-The following fields are available:
-
-- **HRESULT** The result error code.
-- **SessionID** The ID of this push-button reset session.
-- **SPErrorCode** The error code for the Setup Platform operation.
-- **SPOperation** The Setup Platform operation.
-- **SPPhase** The phase of the Setup Platform operation.
-
-
-### Microsoft.Windows.PBR.PBRFinalizeNewSystemSucceed
-
-This event is sent when the push-button reset operation succeeds in finalizing the new system.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PBRFinalUserSelection
This event is sent when the user makes the final selection in the user interface.
@@ -4425,62 +4881,6 @@ The following fields are available:
- **SessionID** The ID of this push-button reset session.
-### Microsoft.Windows.PBR.PBRFormatOSVolumeFailed
-
-This event is sent when the operation to format the operating system volume fails during push-button reset (PBR).
-
-The following fields are available:
-
-- **JustDeleteFiles** Indicates whether disk formatting was skipped.
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRFormatOSVolumeSucceed
-
-This event is sent when the operation to format the operating system volume succeeds during push-button reset (PBR).
-
-The following fields are available:
-
-- **JustDeleteFiles** Indicates whether disk formatting was skipped.
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRInstallWinREFailed
-
-This event sends basic data about the recovery operation failure on the device to allow investigation.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRIOCTLErasureSucceed
-
-This event is sent when the erasure operation succeeds during push-button reset (PBR).
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRLayoutImageFailed
-
-This event is sent when push-button reset fails to create a new image of Windows.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRLayoutImageSucceed
-
-This event is sent when push-button reset succeeds in creating a new image of Windows.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PBROEM1Failed
This event is sent when the first OEM extensibility operation is successfully completed.
@@ -4494,73 +4894,6 @@ The following fields are available:
- **SessionID** The ID of this push-button reset session.
-### Microsoft.Windows.PBR.PBROEM2Failed
-
-This event is sent when the second OEM extensibility operation is successfully completed.
-
-The following fields are available:
-
-- **HRESULT** The result error code from the OEM extensibility script.
-- **Parameters** The parameters that were passed to the OEM extensibility script.
-- **PBRType** The type of push-button reset.
-- **ScriptName** The path to the OEM extensibility script.
-- **SessionID** The ID of the push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRPostApplyFailed
-
-This event returns data indicating the failure of the reset/recovery process after the operating system files are restored.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRPostApplyFinished
-
-This event returns data indicating the completion of the reset/recovery process after the operating system files are restored.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRPostApplyStarted
-
-This event returns data indicating the start of the reset/recovery process after the operating system files are restored.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRPreApplyFailed
-
-This event returns data indicating the failure of the reset/recovery process before the operating system files are restored.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRPreApplyFinished
-
-This event returns data indicating the completion of the reset/recovery process before the operating system files are restored.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRPreApplyStarted
-
-This event returns data indicating the start of the reset/recovery process before the operating system files are restored.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PBRReachedOOBE
This event returns data when the PBR (Push Button Reset) process reaches the OOBE (Out of Box Experience).
@@ -4621,15 +4954,6 @@ The following fields are available:
- **SessionID** The ID of this push-button reset session.
-### Microsoft.Windows.PBR.PBRRestoreLicenseFailed
-
-This event sends basic data about recovery operation failure on the device. This data allows investigation to help keep Windows and PBR (Push Button Reset) up to date.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PBRSucceed
This event returns data when PBR (Push Button Reset) succeeds.
@@ -4641,37 +4965,6 @@ The following fields are available:
- **SessionID** The ID of this push-button reset session.
-### Microsoft.Windows.PBR.PBRUserCancelled
-
-This event returns data when the user cancels the PBR (Push Button Reset) from the UI (user interface).
-
-The following fields are available:
-
-- **CancelPage** The ID of the page where the user clicked Cancel.
-- **PBRVariation** The type of push-button reset.
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRVersionsMistmatch
-
-This event returns data when there is a version mismatch for WinRE (Windows Recovery) and the OS.
-
-The following fields are available:
-
-- **OSVersion** The OS version installed on the device.
-- **REVersion** The version of Windows Recovery Environment (WinRE).
-- **SessionID** The ID of this push-button reset session.
-
-
-### Microsoft.Windows.PBR.PBRWinREInstallationFailed
-
-This event returns data when the WinRE (Windows Recovery) installation fails.
-
-The following fields are available:
-
-- **SessionID** The ID of this push-button reset session.
-
-
### Microsoft.Windows.PBR.PhaseFinished
This event returns data when a phase of PBR (Push Button Reset) has completed.
@@ -4721,6 +5014,7 @@ The following fields are available:
- **scenario** The selected scenario for the push-button on reset operation.
- **sessionID** The ID of this push-button on reset session.
- **timestamp** The timestamp of this push-button on reset event.
+- **usePayload** Indicates whether Cloud PBR or Reconstruction was used.
- **wipeData** Indicates whether the option was selected to wipe additional drives during push-button reset.
@@ -5136,8 +5430,8 @@ The following fields are available:
- **DeploymentProviderMode** The mode of operation of the update deployment provider.
- **DeviceModel** Device model as defined in the system bios
- **EventInstanceID** A globally unique identifier for event instance
-- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
-- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver".
+- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
- **FlightId** The specific id of the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5157,7 +5451,7 @@ The following fields are available:
- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download.
- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
-- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **AppXDownloadScope** Indicates the scope of the download for application content.
- **AppXScope** Indicates the scope of the app download.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
@@ -5171,8 +5465,9 @@ The following fields are available:
- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download.
- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
@@ -5180,9 +5475,11 @@ The following fields are available:
- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior.
- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DeviceModel** What is the device model.
+- **DeviceModel** The model of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadProps** Information about the download operation properties in the form of a bitmask.
+- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
+- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads.
- **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
@@ -5209,25 +5506,26 @@ The following fields are available:
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background.
-- **RegulationReason** The reason that the update is regulated
- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
- **RepeatFailCount** Indicates whether this specific content has previously failed.
-- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
+- **RepeatFailFlag** Indicates whether this specific content previously failed to download.
- **RevisionNumber** The revision number of the specified piece of content.
- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc).
-- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
+- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package.
- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateID** An identifier associated with the specific piece of content.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedDO** Whether the download used the delivery optimization service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
@@ -5242,7 +5540,7 @@ The following fields are available:
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** The version number of the software distribution client
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
- **FileId** A hash that uniquely identifies a file
@@ -5275,7 +5573,7 @@ The following fields are available:
- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
-- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby)
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **RevisionNumber** Identifies the revision number of this specific piece of content
@@ -5312,7 +5610,7 @@ The following fields are available:
- **DriverPingBack** Contains information about the previous driver and system state.
- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
@@ -5415,7 +5713,6 @@ The following fields are available:
- **CmdLineArgs** Command line arguments passed in by the caller.
- **EventInstanceID** A globally unique identifier for the event instance.
- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
-- **Mode** Indicates the mode that has started.
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
- **WUDeviceID** Unique device ID controlled by the software distribution client.
@@ -5437,7 +5734,7 @@ The following fields are available:
- **DriverPingBack** Contains information about the previous driver and system state.
- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of the event (a scan started, succeeded, failed, etc.).
+- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.).
- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
@@ -5488,12 +5785,12 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether
The following fields are available:
- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
-- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
-- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
@@ -5504,7 +5801,7 @@ The following fields are available:
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
- **SHA256OfTimestampToken** An encoded string of the timestamp token.
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
-- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
- **StatusCode** Result code of the event (success, cancellation, failure code HResult)
- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
@@ -5516,7 +5813,7 @@ The following fields are available:
### Microsoft.Windows.SysReset.FlightUninstallCancel
-This event indicates the customer has canceled uninstallation of Windows.
+This event indicates the customer has cancelled uninstallation of Windows.
@@ -5674,7 +5971,6 @@ The following fields are available:
- **LastAttemptVersion** The version of the most recent attempted firmware installation.
- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported.
- **MaxRetryCount** The maximum number of retries, defined by the firmware class key.
-- **PartA_PrivTags** The privacy tags associated with the firmware.
- **RetryCount** The number of attempted installations (retries), reported by the driver software key.
- **Status** The status returned to the PnP (Plug-and-Play) manager.
- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
@@ -5693,6 +5989,7 @@ The following fields are available:
- **ObjectId** The unique value for each Update Agent mode.
- **RebootRequired** Indicates reboot is required.
- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
+- **Result** The HResult of the event.
- **RevertResult** The result code returned for the Revert operation.
- **ScenarioId** The ID of the update scenario.
- **SessionId** The ID of the update attempt.
@@ -5721,7 +6018,9 @@ This event sends data for the download request phase of updating Windows via the
The following fields are available:
+- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload.
- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
+- **DownloadComplete** Indicates if the download is complete.
- **DownloadRequests** Number of times a download was retried.
- **ErrorCode** The error code returned for the current download request phase.
- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
@@ -5771,22 +6070,6 @@ The following fields are available:
- **UpdateId** Unique ID for each update.
-### Update360Telemetry.UpdateAgentFellBackToCanonical
-
-This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
-
-The following fields are available:
-
-- **FlightId** Unique ID for each flight.
-- **ObjectId** Unique value for each Update Agent mode.
-- **PackageCount** Number of packages that feel back to canonical.
-- **PackageList** PackageIds which fell back to canonical.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update.
-
-
### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
@@ -5944,12 +6227,15 @@ The following fields are available:
- **ErrorCode** The error code returned for the current reboot.
- **FlightId** Unique ID for the flight (test instance version).
+- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
- **ObjectId** The unique value for each Update Agent mode.
+- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
- **Result** The HResult of the event.
- **ScenarioId** The ID of the update scenario.
- **SessionId** The ID of the update attempt.
- **UpdateId** The ID of the update.
+- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit.
### Update360Telemetry.UpdateAgentSetupBoxLaunch
@@ -5973,11 +6259,29 @@ The following fields are available:
- **UserSession** Indicates whether install was invoked by user actions.
+## Update notification events
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
+
+
## Upgrade events
### FacilitatorTelemetry.DCATDownload
-This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure.
The following fields are available:
@@ -5990,12 +6294,23 @@ The following fields are available:
- **UpdateId** The ID of the update that was downloaded.
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
+
+The following fields are available:
+
+- **PackageCategoriesFailed** Lists the categories of packages that failed to download.
+- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped.
+
+
### FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
The following fields are available:
+- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to.
- **DownloadRequestAttributes** The attributes we send to DCAT.
- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes.
- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
@@ -6005,7 +6320,7 @@ The following fields are available:
### Setup360Telemetry.Downlevel
-This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure.
The following fields are available:
@@ -6020,7 +6335,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** An ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
@@ -6042,7 +6357,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6064,7 +6379,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6086,7 +6401,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
@@ -6130,7 +6445,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -6152,7 +6467,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6174,7 +6489,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -6202,7 +6517,7 @@ The following fields are available:
- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
-- **Operation** Facilitator's last known operation (scan, download, etc.).
+- **Operation** Facilitator’s last known operation (scan, download, etc.).
- **ReportId** ID for tying together events stream side.
- **ResultCode** Result returned for the entire setup operation.
- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
@@ -6286,10 +6601,10 @@ The following fields are available:
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -6331,7 +6646,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
The following fields are available:
@@ -6381,27 +6696,16 @@ This event collects data about common platform hardware error recorded by the Wi
The following fields are available:
- **creatorId** The unique identifier for the entity that created the error record.
-- **CreatorId** The unique identifier for the entity that created the error record.
- **errorFlags** Any flags set on the error record.
-- **ErrorFlags** Any flags set on the error record.
- **notifyType** The unique identifier for the notification mechanism which reported the error to the operating system.
-- **NotifyType** The unique identifier for the notification mechanism which reported the error to the operating system.
- **partitionId** The unique identifier for the partition on which the hardware error occurred.
-- **PartitionId** The unique identifier for the partition on which the hardware error occurred.
- **platformId** The unique identifier for the platform on which the hardware error occurred.
-- **PlatformId** The unique identifier for the platform on which the hardware error occurred.
- **record** A collection of binary data containing the full error record.
-- **Record** A collection of binary data containing the full error record.
- **recordId** The identifier of the error record.
-- **RecordId** The identifier of the error record.
- **sectionFlags** The flags for each section recorded in the error record.
-- **SectionFlags** The flags for each section recorded in the error record.
-- **SectionSeverity** The severity of each individual section.
- **sectionTypes** The unique identifier that represents the type of sections contained in the error record.
-- **SectionTypes** The unique identifier that represents the type of sections contained in the error record.
- **severityCount** The severity of each individual section.
- **timeStamp** The error time stamp as recorded in the error record.
-- **TimeStamp** The error time stamp as recorded in the error record.
## Windows Security Center events
@@ -6516,6 +6820,7 @@ The following fields are available:
- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
- **AttemptNumber** The total number of attempts to acquire this product.
+- **BundleId** The identity of the test build (flight) associated with this product.
- **CategoryId** The identity of the package or packages being installed.
- **ClientAppId** The identity of the app that initiated this operation.
- **HResult** HResult code to show the result of the operation (success/failure).
@@ -6525,6 +6830,7 @@ The following fields are available:
- **IsRemediation** Is this repairing a previous installation?
- **IsRestore** Is this happening after a device restore?
- **IsUpdate** Is this an update?
+- **ParentBundleId** The product identifier of the parent if this product is part of a bundle.
- **PFN** Product Family Name of the product being installed.
- **ProductId** The Store Product ID for the product being installed.
- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
@@ -6794,12 +7100,12 @@ The following fields are available:
- **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specific edition of the app being updated.
+- **SkuId** Specfic edition of the app being updated.
### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
The following fields are available:
@@ -6823,6 +7129,45 @@ The following fields are available:
- **PFamN** The name of the app that is requested for update.
+## Windows Update CSP events
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
+
+This event sends basic telemetry on the failure of the Feature Rollback.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **hResult** Failure error code.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** This is the device info.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
+
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device.
+
+The following fields are available:
+
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **sacDevice** Represents the device info.
+- **wUfBConnected** Result of WUfB connection check.
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
+
+This event sends basic information indicating that Feature Rollback has started.
+
+
+
## Windows Update Delivery Optimization events
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
@@ -6880,6 +7225,7 @@ The following fields are available:
- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
- **cdnIp** The IP address of the source CDN.
- **cdnUrl** Url of the source Content Distribution Network (CDN).
+- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion.
- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
- **doErrorCode** The Delivery Optimization error code that was returned.
- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
@@ -6896,6 +7242,7 @@ The following fields are available:
- **groupConnectionCount** The total number of connections made to peers in the same group.
- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download.
+- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data).
- **isVpn** Is the device connected to a Virtual Private Network?
- **jobID** Identifier for the Windows Update job.
- **lanConnectionCount** The total number of connections made to peers in the same LAN.
@@ -6958,6 +7305,7 @@ The following fields are available:
- **fileSizeCaller** Value for total file size provided by our caller.
- **groupID** ID for the group.
- **isEncrypted** Indicates whether the download is encrypted.
+- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data).
- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
- **jobID** The ID of the Windows Update job.
- **peerID** The ID for this delivery optimization client.
@@ -7007,6 +7355,122 @@ The following fields are available:
## Windows Update events
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
+
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **activated** Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **flightId** Unique ID for each flight.
+- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
+- **objectId** Unique value for each diagnostics session.
+- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
+- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
+- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId** The unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
+
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique GUID for each diagnostics session.
+- **relatedCV** A correlation vector value generated from the latest USO scan.
+- **result** Outcome of the initialization of the session.
+- **scenarioId** Identifies the Update scenario.
+- **sessionId** The unique value for each update session.
+- **updateId** The unique identifier for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes.
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current install phase.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique identifier for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Outcome of the install phase of the update.
+- **scenarioId** The unique identifier for the update scenario.
+- **sessionId** Unique value for each update session.
+- **updateId** The unique identifier for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **flightId** The unique identifier for each flight.
+- **mode** The mode that is starting.
+- **objectId** The unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique identifier for each update.
+
+
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
This event indicates that a notification dialog box is about to be displayed to user.
@@ -7101,22 +7565,6 @@ The following fields are available:
- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC).
-### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast
-
-This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed.
-
-The following fields are available:
-
-- **DeviceLocalTime** The local time on the device sending the event.
-- **ETag** OneSettings versioning value.
-- **ExitCode** Indicates how users exited the pop-up banner.
-- **RebootVersion** The version of the reboot logic.
-- **UpdateId** The ID of the update that is pending restart to finish installation.
-- **UpdateRevision** The revision of the update that is pending restart to finish installation.
-- **UserResponseString** The option that the user chose in pop-up banner.
-- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time.
-
-
### Microsoft.Windows.Update.NotificationUx.RebootScheduled
Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
@@ -7148,6 +7596,30 @@ The following fields are available:
- **wuDeviceid** Unique device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
+
+This event indicates that update activity was blocked because it is within the active hours window.
+
+The following fields are available:
+
+- **activeHoursEnd** The end of the active hours window.
+- **activeHoursStart** The start of the active hours window.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
+
+This event indicates that Windows Update activity was blocked due to low battery level.
+
+The following fields are available:
+
+- **batteryLevel** The current battery charge capacity.
+- **batteryLevelThreshold** The battery capacity threshold to stop update activity.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** Device ID.
+
+
### Microsoft.Windows.Update.Orchestrator.DeferRestart
This event indicates that a restart required for installing updates was postponed.
@@ -7178,7 +7650,7 @@ The following fields are available:
- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
- **errorCode** The error code returned for the current process.
-- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed.
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
- **flightID** The specific ID of the Windows Insider build the device is getting.
- **interactive** Indicates whether the session was user initiated.
- **networkStatus** Error info
@@ -7216,7 +7688,7 @@ This event indicates the reboot was postponed due to needing a display.
The following fields are available:
- **displayNeededReason** Reason the display is needed.
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
@@ -7311,7 +7783,7 @@ The following fields are available:
- **batteryLevel** Current battery capacity in mWh or percentage left.
- **deferReason** Reason for install not completing.
-- **errorCode** The error code represented by a hexadecimal value.
+- **errorCode** The error code reppresented by a hexadecimal value.
- **eventScenario** End-to-end update session ID.
- **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build.
@@ -7424,6 +7896,32 @@ The following fields are available:
- **wuDeviceid** Unique device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable
+
+This event defines when an optional update is available for the device to help keep Windows up to date.
+
+The following fields are available:
+
+- **flightID** The unique identifier of the Windows Insider build on this device.
+- **isFeatureUpdate** Indicates whether the update is a Feature Update.
+- **revisionNumber** The revision number of the update.
+- **updateId** The GUID (Globally Unique Identifier) of the update.
+- **wuDeviceid** The Windows Update device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.SeekUpdate
+
+This event occurs when user initiates "seeker" scan. This helps keep Windows up to date.
+
+The following fields are available:
+
+- **flightID** The ID of the Windows Insider builds on the device.
+- **isFeatureUpdate** Indicates that the target of the Seek is a feature update.
+- **revisionNumber** The revision number of the update.
+- **updateId** The identifier of the update.
+- **wuDeviceid** The Windows Update device identifier.
+
+
### Microsoft.Windows.Update.Orchestrator.StickUpdate
This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update.
@@ -7450,6 +7948,18 @@ The following fields are available:
- **wuDeviceid** Unique device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
+
+This event indicates that update activity was stopped due to active hours starting.
+
+The following fields are available:
+
+- **activeHoursEnd** The end of the active hours window.
+- **activeHoursStart** The start of the active hours window.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** The device identifier.
+
+
### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorInvalidSignature
This event is sent when an updater has attempted to register a binary that is not signed by Microsoft.
@@ -7461,6 +7971,17 @@ The following fields are available:
- **wuDeviceid** Unique device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkInvalidCmd
+
+Event to indicate a critical error with the callback binary requested by the updater
+
+The following fields are available:
+
+- **updaterCmdLine** The callback executable for the updater.
+- **updaterId** The ID of the updater.
+- **wuDeviceid** The Windows Update device identifier.
+
+
### Microsoft.Windows.Update.Orchestrator.UnstickUpdate
This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update.
@@ -7471,6 +7992,16 @@ The following fields are available:
- **wuDeviceid** Unique device ID controlled by the software distribution client.
+### Microsoft.Windows.Update.Orchestrator.UpdateNotApplicableForReserves
+
+This event reports a critical error when using update reserves for OS updates to help keep Windows up to date.
+
+The following fields are available:
+
+- **updateId** The GUID (Globally Unique Identifier) of the update.
+- **wuDeviceid** The Windows Update device identifier.
+
+
### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
@@ -7646,32 +8177,6 @@ The following fields are available:
## Windows Update mitigation events
-### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General
-
-This event provides information about application properties to indicate the successful execution.
-
-The following fields are available:
-
-- **AppMode** Indicates the mode the app is being currently run around privileges.
-- **ExitCode** Indicates the exit code of the app.
-- **Help** Indicates if the app needs to be launched in the help mode.
-- **ParseError** Indicates if there was a parse error during the execution.
-- **RightsAcquired** Indicates if the right privileges were acquired for successful execution.
-- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution.
-- **TestMode** Indicates whether the app is being run in test mode.
-
-
-### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount
-
-This event provides information about the properties of user accounts in the Administrator group.
-
-The following fields are available:
-
-- **Internal** Indicates the internal property associated with the count group.
-- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account.
-- **Result** The HResult error.
-
-
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
@@ -7696,6 +8201,28 @@ The following fields are available:
- **WuId** Unique ID for the Windows Update client.
+### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
+
+This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates.
+
+The following fields are available:
+
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** Unique identifier for each flight.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFixed** Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsSkipped** Number of reparse points that are not corrupted and no action is required.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
### Mitigation360Telemetry.MitigationCustom.FixupEditionId
This event sends data specific to the FixupEditionId mitigation used for OS updates.
@@ -7748,12 +8275,6 @@ The following fields are available:
- **ReserveId** The ID of the reserve that needs to be cleared.
-### Microsoft.Windows.UpdateReserveManager.ClearSoftReserve
-
-This event is sent when the Update Reserve Manager clears the contents of the soft reserve.
-
-
-
### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
@@ -7802,6 +8323,7 @@ The following fields are available:
- **FallbackInitUsed** Indicates whether fallback initialization is used.
- **FinalUserFreeSpace** The amount of user free space after initialization.
- **Flags** The flags used in the initialization of Update Reserve Manager.
+- **FreeSpaceToLeaveInUpdateScratch** The amount of space that should be left free after using the reserves.
- **HardReserveFinalSize** The final size of the hard reserve.
- **HardReserveFinalUsedSpace** The used space in the hard reserve.
- **HardReserveInitialSize** The size of the hard reserve after initialization.
@@ -7842,6 +8364,7 @@ This event is sent when the Update Reserve Manager prepares the Trusted Installe
The following fields are available:
+- **FallbackLogicUsed** Indicates whether fallback logic was used for initialization.
- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 260868ca64..52f53de9e4 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -20,9 +20,9 @@ ms.date: 04/29/2019
**Applies to**
-- Windows 10 Enterprise
-- Windows 10 Mobile
-- Windows Server
+- Windows 10 Enterprise
+- Windows 10 Mobile
+- Windows Server
This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
@@ -54,6 +54,7 @@ Windows as a Service is a fundamental change in how Microsoft plans, builds, and
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
### What is Windows diagnostic data?
+
Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
@@ -71,9 +72,10 @@ Here are some specific examples of Windows diagnostic data:
Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
-There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash).
+On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
-If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services/).
The following are specific examples of functional data:
@@ -90,6 +92,7 @@ Windows and Windows Server diagnostic data gives every user a voice in the opera
Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
#### Real-world example of how Windows diagnostic data helps
+
There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
@@ -104,20 +107,19 @@ Windows diagnostic data also helps Microsoft better understand how customers use
### Insights into your own organization
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs) (coming soon). Both help organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. For E5 customers, [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs). Both help organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. For E5 customers, [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
## How Microsoft handles diagnostic data
The diagnostic data is categorized into four levels:
-- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
+- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
-- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
-- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
+- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels.
Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section.
@@ -126,9 +128,9 @@ Diagnostic data levels are cumulative, meaning each subsequent level includes da
Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
-2. Events are gathered using public operating system event logging and tracing APIs.
-3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
-4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
+1. Events are gathered using public operating system event logging and tracing APIs.
+1. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
+1. The Connected User Experiences and Telemetry component transmits the diagnostic data.
Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
@@ -136,7 +138,7 @@ Info collected at the Enhanced and Full levels of diagnostic data is typically g
All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
+The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day.
### Endpoints
@@ -149,24 +151,23 @@ For a complete list of diagnostics endpoints leveraged by Microsoft Defender Adv
The following table defines the endpoints for Connected User Experiences and Telemetry component:
-| Windows release | Endpoint |
-| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
-| Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed | **Diagnostics data:** v10c.vortex-win.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
-| Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data:** v10.events.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
-| Windows 10, version 1709 or earlier | **Diagnostics data:** v10.vortex-win.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
+| Windows release | Endpoint |
+| - | - |
+| Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed | **Diagnostics data:** v10c.vortex-win.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
+| Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data:** v10.events.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
+| Windows 10, version 1709 or earlier | **Diagnostics data:** v10.vortex-win.data.microsoft.com**Functional:** v20.vortex-win.data.microsoft.com**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country,for example: **de**.vortex-win.data.microsoft.com**Settings:** settings-win.data.microsoft.com |
The following table defines **additional diagnostics endpoints** not covered by services in the links above:
-| Service | Endpoint |
-| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
-| Onedrive app for Windows 10 | https://vortex.data.microsoft.com/collect/v1 |
-
+| Service | Endpoint |
+| - | - |
+| OneDrive app for Windows 10 | |
The following table defines the endpoints for other diagnostic data services:
| Service | Endpoint |
| - | - |
-| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| | ceuswatcab01.blob.core.windows.net |
| | ceuswatcab02.blob.core.windows.net |
| | eaus2watcab01.blob.core.windows.net |
@@ -175,7 +176,7 @@ The following table defines the endpoints for other diagnostic data services:
| | weus2watcab02.blob.core.windows.net |
| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
-| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.comhttps://wdcpalt.microsoft.com |
+| Microsoft Defender Advanced Threat Protection | |
### Data use and access
@@ -191,11 +192,10 @@ Microsoft believes in and practices information minimization. We strive to gathe
Sharing diagnostic data with Microsoft is enabled by default on Windows 10, 1903 and later. Sharing this data provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
-Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface.
-
#### Manage your diagnostic data settings
Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization.
@@ -225,41 +225,41 @@ Use the appropriate value in the table below when you configure the management p
Use a Group Policy object to set your organization’s diagnostic data level.
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-2. Double-click **Allow Telemetry**.
+1. Double-click **Allow Telemetry**.
-3. In the **Options** box, select the level that you want to configure, and then click **OK**.
+1. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the diagnostic data level
-Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+Use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the diagnostic data level
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
+1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
-2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+1. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
-3. Type **AllowTelemetry**, and then press ENTER.
+1. Type **AllowTelemetry**, and then press ENTER.
-4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+1. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
-5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+1. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Additional diagnostic data controls
There are a few more settings that you can turn off that may send diagnostic data information:
-- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/index/).
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
+- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
+- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
@@ -275,23 +275,23 @@ The Security level gathers only the diagnostic data info that is required to kee
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
+Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
The data gathered at this level includes:
-- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
> [!NOTE]
> You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
> This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, Microsoft Endpoint Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
@@ -307,42 +307,34 @@ The normal upload range for the Basic diagnostic data level is between 109 KB -
The data gathered at this level includes:
-- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
- - Device attributes, such as camera resolution and display type
+ - Device attributes, such as camera resolution and display type
+ - Internet Explorer version
+ - Battery attributes, such as capacity and type
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+ - Operating system attributes, such as Windows edition and virtualization state
+ - Storage attributes, such as number of drives, type, and size
- - Internet Explorer version
+- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- - Battery attributes, such as capacity and type
+- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+ - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- - Operating system attributes, such as Windows edition and virtualization state
+ - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
- - Storage attributes, such as number of drives, type, and size
+ - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
-
- - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
-
- - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
-
- - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
+ - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
@@ -354,13 +346,13 @@ The normal upload range for the Enhanced diagnostic data level is between 239 KB
The data gathered at this level includes:
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
-- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
-- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
@@ -374,11 +366,11 @@ If a device experiences problems that are difficult to identify or repeat using
However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-- Ability to get registry keys.
+- Ability to get registry keys.
-- All crash dump types, including heap dumps and full dumps.
+- All crash dump types, including heap dumps and full dumps.
> [!NOTE]
> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc.
@@ -387,7 +379,7 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
> [!IMPORTANT]
> The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](/windows/deployment/update/update-compliance-get-started) will continue to be supported.
-> For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement).
+> For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement).
Desktop Analytics reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events.
@@ -414,7 +406,7 @@ With the retirement of Windows Analytics, this policy will continue to be suppor
-AND-
-2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
+1. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 55e655b1dc..f7ff32cbfe 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -40,11 +40,12 @@
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
"_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.privacy",
- "folder_relative_path_in_docset": "./"
- }
- }
+ "./": {
+ "depot_name": "MSDN.privacy",
+ "folder_relative_path_in_docset": "./"
+ }
+ },
+ "titleSuffix": "Windows Privacy"
},
"fileMetadata": {},
"template": [],
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index ef6d2bf3ee..70e294409e 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,6 +1,6 @@
---
title: Manage connections from Windows 10 operating system components to Microsoft services
-description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
+description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
@@ -1413,7 +1413,11 @@ To turn off Inking & Typing data collection (note: there is no Group Policy for
-or-
-- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)**
+- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization** to a **value of 1 (one)**
+
+ -and-
+
+- Set **RestrictImplicitInkCollection** registry REG_DWORD setting in **HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization** to a **value of 1 (one)**
### 18.22 Activity History
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index 28c2ac9038..32fc4b968a 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -1,6 +1,6 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 1709
-description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1709.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index cb80bc42cd..f62497b8ad 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -1,6 +1,6 @@
---
title: Connection endpoints for Windows 10, version 1803
-description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1803.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 83bf617928..0504d6eceb 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -1,6 +1,6 @@
---
title: Connection endpoints for Windows 10, version 1809
-description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1809.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 2151461b3a..786649ef6a 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -1,6 +1,6 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 1903
-description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact.
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1903.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
index 13660e8f01..29accd3e32 100644
--- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
@@ -1,6 +1,6 @@
---
title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1709.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
index 208f378b9e..1744c60ff7 100644
--- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
@@ -1,6 +1,6 @@
---
title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1803.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
@@ -23,7 +23,7 @@ ms.reviewer:
- Windows 10 Professional, version 1803
- Windows 10 Education, version 1803
-In addition to the endpoints listed for [Windows 10 Enterprise](https://docs.microsoft.com/en-gb/windows/privacy/manage-windows-1803-endpoints ), the following endpoints are available on other editions of Windows 10, version 1803.
+In addition to the endpoints listed for [Windows 10 Enterprise](https://docs.microsoft.com/windows/privacy/manage-windows-1803-endpoints ), the following endpoints are available on other editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index d7ad47c4a1..0bde8377e9 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -1,6 +1,6 @@
---
title: Windows 10, version 1809, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1809.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index 96f81d22ed..6c791a5536 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -1,6 +1,6 @@
---
title: Windows 10, version 1903, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1903.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md
index 1366bdd1e6..273f2bac8d 100644
--- a/windows/privacy/windows-personal-data-services-configuration.md
+++ b/windows/privacy/windows-personal-data-services-configuration.md
@@ -1,6 +1,6 @@
---
title: Windows 10 personal data services configuration
-description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR)
+description: Learn more about Windows 10 configuration settings that are useful for complying with regulations such as the GDPR and protecting users' personal data.
keywords: privacy, GDPR, windows, IT
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index 5a608fbd84..dffdd5ba5f 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
Summary
Originating update
Status
Date resolved
+
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Error attempting to update with external USB device or memory card attached PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
Audio not working with Dolby Atmos headphones and home theater Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
Event Viewer may close or you may receive an error when using Custom Views When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.
Older versions of BattlEye anti-cheat software incompatible Users may experience a compatibility issue with some games that use older versions of BattlEye anti-cheat software.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.
To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.
Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).
Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.
To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Audio not working with Dolby Atmos headphones and home theater
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Older versions of BattlEye anti-cheat software incompatible
Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash.
To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device.
Affected platforms:
Client: Windows 10, version 1903
Workaround: Before updating your machine, we recommend you do one or more of the following:
Verify that your game is up to date with the latest available version of BattlEye software. Some game platforms allow you to validate your game files, which can confirm that your installation is fully up to date.
Resolution: This issue was resolved externally by BattlEye for all known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. We recommend following the workaround before updating to Windows 10, version 1903, as games with incompatible versions of BattleEye may fail to open after updating Windows. If you have confirmed your game is up to date and you have any issues with opening games related to a BattlEye error, please see https://www.battleye.com/support/faq/.
Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following:
AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode.
“A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.”
To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue has been resolved externally by AMD. To resolve this issue, you will need to download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update.
Note The safeguard hold will remain in place on machines with the older AMD RAID drivers. We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start if “Minimum Password Length” is configured with greater than 14 characters.
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Microsoft Defender Advanced Threat Protection might stop running The Microsoft Defender ATP service might stop running and might fail to send reporting data.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Devices with some Asian language packs installed may receive an error Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort Upgrade block: Certain new Intel display drivers may accidentally turn on unsupported features in Windows.
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows.
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Issues with some older versions of Avast and AVG anti-virus products Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays.
Duplicate folders and documents showing in user profile directory An empty folder with the same name may be created if known folders (e.g. Desktop, Documents) are redirected.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Unable to discover or connect to Bluetooth devices using some Realtek adapters
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903
Server: Windows 10, version 1909; Windows Server, version 1903
Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.
Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).
D3D applications and games may fail to enter full-screen mode on rotated displays
Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode).
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: To work around this issue, do one of the following:
Run applications in windowed mode or, if available, on a secondary non-rotated display.
Change compatibility settings for the applications to “Disable Full Screen Optimizations.”
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May.
Duplicate folders and documents showing in user profile directory
If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress.
To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May.
Note We recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Issues with some older versions of Avast and AVG anti-virus products Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
Unable to discover or connect to Bluetooth devices using some Realtek adapters Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.
Unable to create local users in Chinese, Japanese and Korean during device setup You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Unable to create local users in Chinese, Japanese and Korean during device setup
When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.
Note This issue does not affect using a Microsoft Account during OOBE.
Affected platforms:
Client: Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
Server: Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
MSRT might fail to install and be re-offered from Windows Update or WSUS The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
IA64 and x64 devices may fail to start after installing updates
IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Printing from 32-bit apps might fail on a 64-bit OS When attempting to print, you may receive an error or the application may stop responding or close.
Japanese IME doesn't show the new Japanese Era name as a text input option With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms:
Client: Windows 8.1
Server: Windows Server 2012 R2; Windows Server 2012
Workaround:
If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.
Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
Printing from 32-bit apps might fail on a 64-bit OS When attempting to print, you may receive an error or the application may stop responding or close.
Japanese IME doesn't show the new Japanese Era name as a text input option With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
Certain operations performed on a Cluster Shared Volume may fail Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
Affected platforms:
Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
Affected platforms:
Client: Windows 8.1
Server: Windows Server 2012 R2; Windows Server 2012
Workaround:
If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.
Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)
The December 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
December 10, 2019 08:00 AM PT
+
Timing of Windows 10 optional update releases (December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer.
Learn how to get Windows 10, version 1909 (the November 2019 Update), and explore how we’ve worked to make this a great experience for all devices, including a new, streamlined (and fast) update experience for devices updating directly from the May 2019 Update.
Learn how devices running Windows 10, version 1903 can update to Windows 10, version 1909 using the same servicing technology used to deliver monthly quality updates, resulting in a single restart and reducing update-related downtime.
Explore the latest features for IT, get information about media availability and related tools, and find answers to frequently asked questions.
November 12, 2019 10:00 AM PT
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 328ee569c2..d1b2905bad 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -45,9 +45,14 @@
"depot_name": "MSDN.security",
"folder_relative_path_in_docset": "./"
}
+ },
+ "titleSuffix": "Microsoft 365 Security"
+ },
+ "fileMetadata": {
+ "titleSuffix":{
+ "threat-protection/**/*.md": "Windows security"
}
},
- "fileMetadata": {},
"template": [],
"dest": "security",
"markdownEngineName": "markdig"
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index f8a3185eb0..c8bdc813a2 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -289,6 +289,16 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi
All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
+## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
+You may see the following registry keys under AllCachedCapabilities:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
+
All Capability SIDs are prefixed by S-1-15-3
## See also
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 8e823b08e6..0dd5d09a40 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,6 +1,6 @@
---
title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10)
-description: In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them.
+description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, aka a certificate, can read them.
ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
ms.reviewer:
keywords: encrypt, digital signature
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index d42dc24268..68410a7305 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,6 +1,6 @@
---
title: Additional mitigations
-description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
+description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 00a4a3e6bb..4eaf65890c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -1,6 +1,6 @@
---
title: How Windows Defender Credential Guard works
-description: Using virtualization-based security, Windows Defender Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
+description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 3869b97501..610edeb54d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -1,6 +1,6 @@
---
title: Manage Windows Defender Credential Guard (Windows 10)
-description: Deploying and managing Windows Defender Credential Guard using Group Policy, the registry, or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool.
+description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 104cadf507..792587963f 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Credential Guard protection limits (Windows 10)
-description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
+description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows 10. Learn more with this guide.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index cacd765584..68102f6e49 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Credential Guard Requirements (Windows 10)
-description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
+description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index ae294baabb..b62a1d9818 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -1,6 +1,6 @@
---
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10)
-description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
+description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index e5422219e7..38bbbfc5cd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,6 +1,6 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
-description: Introduced in Windows 10 Enterprise, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.reviewer:
ms.prod: w10
@@ -35,7 +35,7 @@ By enabling Windows Defender Credential Guard, the following features and soluti
## Related topics
- [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert)
-- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
+- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 3da855c332..4ddcb35964 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -31,7 +31,7 @@ ms.reviewer:
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
+Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
@@ -101,7 +101,7 @@ Each rule element has a **signal** element. All signal elements have a **type**
| type| "wifi" (Windows 10, version 1803)
#### Bluetooth
-You define the bluetooth signal with additional attribute in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
+You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
|Attribute|Value|Required|
|---------|-----|--------|
@@ -117,7 +117,7 @@ Example:
```
-The **classofDevice** attribute defaults Phones and uses the values from the following table
+The **classofDevice** attribute defaults to Phone and uses the values from the following table:
|Description|Value|
|:-------------|:-------:|
@@ -138,7 +138,7 @@ The **rssiMin** attribute value signal indicates the strength needed for the dev
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
>[!IMPORTANT]
->Microsoft recommends using the default values for this policy settings. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
+>Microsoft recommends using the default values for this policy setting. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
#### IP Configuration
You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements.
@@ -198,7 +198,7 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
##### dnsSuffix
-The fully qualified domain name of your organizations internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
**Example**
```
corp.contoso.com
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 18314f3f58..c0e102cb90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,6 +1,6 @@
---
title: Windows Hello biometrics in the enterprise (Windows 10)
-description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
+description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
ms.reviewer:
keywords: Windows Hello, enterprise biometrics
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index a98db0c85a..f42095fd31 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,6 +1,6 @@
---
title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business)
-description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business
+description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index c6b2d2ced0..7f7f59156a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
-description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
+description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index a125f1f5ad..4681b5725d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,6 +1,6 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
-description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business
+description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with certificate trust
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index e0c4077f94..067d2d3504 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,6 +1,6 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
-description: How to Validate Public Key Infrastructure for Windows Hello for Business
+description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index d43318ad43..c8f3f83f76 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
-description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment
+description: A guide to on premises, certificate trust Windows Hello for Business deployment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index f2cdd5b988..e748408fb5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
-description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment
+description: A guide to on premises, key trust Windows Hello for Business deployment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index 4b08f7b6f1..a1810a0b03 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,6 +1,6 @@
---
title: Conditional Access
-description: Conditional Access
+description: Learn more about conditional access in Azure Active Directory.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index b05057da97..53985965fb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,6 +1,6 @@
---
title: Dynamic lock
-description: Conditional Access
+description: Learn how to set Dynamic lock on Windows 10 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy
@@ -23,7 +23,9 @@ ms.reviewer:
* Windows 10, version 1703
-Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
+Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+
+You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index d30031df7d..c75524b41e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -1,6 +1,6 @@
---
title: How Windows Hello for Business works - Authentication
-description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index c876fbd351..f220db21f6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -1,6 +1,6 @@
---
title: How Windows Hello for Business works - Provisioning
-description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
-
+
| Phase | Description |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index bb57bd6b57..0e03beb9e3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -1,6 +1,6 @@
---
title: How Windows Hello for Business works - Technical Deep Dive
-description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index f32db55329..012051d5e2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -1,6 +1,6 @@
---
title: How Windows Hello for Business works - Technology and Terms
-description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index cec799fa3d..de0d46631b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -1,6 +1,6 @@
---
title: How Windows Hello for Business works
-description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 060bf7e60a..9874fcd53a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,6 +1,6 @@
---
title: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
-description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 1bb87570ff..54f37c9b50 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,6 +1,6 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
-description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps.
keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 27c18d43e7..4eed2e7435 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,6 +1,6 @@
---
title: Azure AD Join Single Sign-on Deployment
-description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory joined devices, using Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 5304c0af57..8ed6db6fb4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business Prerequisites
-description: Prerequisites for Hybrid Windows Hello for Business Deployments
+description: Prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 8b3b535bc4..9d05788513 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business Provisioning (Windows Hello for Business)
-description: Provisioning for Hybrid Windows Hello for Business Deployments
+description: Provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 9a5ce9f830..7c4e019e6d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -151,7 +151,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
1. Open an elevated command prompt.
-2. Run `certutil -dsTemplate WHFBAuthentication,msPKI-Private-Key-Flag,+CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
> [!NOTE]
> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index eb54aba4fd..fba1fd76f8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
-description: Configuring Windows Hello for Business Settings in Hybrid deployment
+description: Configuring Windows Hello for Business settings in hybrid certificate trust deployment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 351e8af565..6ab596d350 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Key Trust New Installation
-description: Windows Hello for Business Hybrid baseline deployment
+description: Learn how to perform a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
@@ -126,7 +126,7 @@ If your organization uses Azure MFA on a per-consumption model (no licenses), th
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States
-After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
+After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
### Azure MFA via ADFS
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index e0c85f3020..d2694a48af 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,6 +1,6 @@
---
title: Hybrid Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
-description: Prerequisites for Hybrid Windows Hello for Business Deployments
+description: Prerequisites for hybrid Windows Hello for Business deployments using key trust.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 99e9682540..85992e20d5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business key trust Provisioning (Windows Hello for Business)
-description: Provisioning for Hybrid Windows Hello for Business Deployments
+description: Provisioning for hybrid key trust deployments of Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -19,7 +19,7 @@ ms.reviewer:
# Hybrid Windows Hello for Business Provisioning
**Applies to**
-- Windows�10, version 1703 or later
+- Windows 10, version 1703 or later
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 5202ec8d19..d8eb2ac3ed 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,6 +1,6 @@
---
title: Configure Hybrid Windows Hello for Business key trust Settings
-description: Configuring Windows Hello for Business Settings in Hybrid deployment
+description: Configuring Windows Hello for Business settings in hybrid key trust deployment.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index de439496b9..a908e96533 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,6 +1,6 @@
---
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
-description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business
+description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index df1cdd141d..5f6fb9480c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,6 +1,6 @@
---
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
-description: How to Validate Public Key Infrastructure for Windows Hello for Business
+description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 99d02689bd..d924d3f98c 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,6 +1,6 @@
---
title: Microsoft-compatible security key
-description: Windows 10 enables users to sign in to their device using a security key. How is a Microsoft-compatible security key different (and better) than any other FIDO2 security key
+description: Learn how a Microsoft-compatible security key for Windows 10 is different (and better) than any other FIDO2 security key.
keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index f3d95ae6ee..00b0bd2e95 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -1,6 +1,6 @@
---
title: How Windows Hello for Business works (Windows 10)
-description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index a408a47cf2..17564fc13b 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system.
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, and Windows Vista** | **Requirements for Windows XP** |
+| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CRL distribution point location | Not required | The location must be specified, online, and available, for example: \[1\]CRL Distribution Point Distribution Point Name: Full Name: URL= |
| Key usage | Digital signature | Digital signature |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 992e66a6c7..f663299fb7 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,6 +1,6 @@
---
title: Smart Card Group Policy and Registry Settings (Windows 10)
-description: This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 03d90751c8..53ebc5b4f6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,6 +1,6 @@
---
title: Smart Card Technical Reference (Windows 10)
-description: This technical reference for the IT professional and smart card developer describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows.
+description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index e6ee5742aa..f107a2346a 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,6 +1,6 @@
---
title: User Account Control security policy settings (Windows 10)
-description: You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
+description: You can use security policies to configure how User Account Control works in your organization.
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 8d19264cfa..aa61d00b97 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -1,6 +1,6 @@
---
title: Virtual Smart Card Overview (Windows 10)
-description: This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft, and links to additional topics about virtual smart cards.
+description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index aab4745ee9..0194ee2c80 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -1,6 +1,6 @@
---
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
-description: This topic for IT professional provides information about how smart card technology can fit into your authentication design, and provides links to additional topics about virtual smart cards.
+description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 674df551a5..df414d1e79 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -1,6 +1,6 @@
---
title: VPN and conditional access (Windows 10)
-description: The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
+description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 6931c47d7b..0206bbd776 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,6 +1,6 @@
---
title: VPN profile options (Windows 10)
-description: Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect.
+description: Windows 10 adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-atp/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
similarity index 88%
rename from windows/security/threat-protection/microsoft-defender-atp/improve-request-performance.md
rename to windows/security/includes/improve-request-performance.md
index 880f5e4d11..ddff438e13 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -16,11 +16,8 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Improve request performance
-
-
>[!NOTE]
>For better performance, you can use server closer to your geo location:
> - api-us.securitycenter.windows.com
> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
\ No newline at end of file
+> - api-uk.securitycenter.windows.com
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
similarity index 64%
rename from windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
rename to windows/security/includes/machineactionsnote.md
index 23f85143c5..246c89eb92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md
+++ b/windows/security/includes/machineactionsnote.md
@@ -9,7 +9,5 @@ author: mjcaparas
ms.prod: w10
---
-# Perform a Machine Action via the Microsoft Defender ATP API
-
>[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
+> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/includes/prerelease.md
similarity index 90%
rename from windows/security/threat-protection/microsoft-defender-atp/prerelease.md
rename to windows/security/includes/prerelease.md
index 7d769b0dd4..a83544340f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md
+++ b/windows/security/includes/prerelease.md
@@ -9,7 +9,5 @@ author: mjcaparas
ms.prod: w10
---
-# Microsoft Defender ATP Pre-release Disclaimer
-
> [!IMPORTANT]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 71cc07649a..65e915649a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index 9096194a09..f8fa65855e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker deployment and administration FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
index 2a5c698b91..3c5449bfe9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
@@ -1,6 +1,6 @@
---
title: BitLocker FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index e91f6d7db8..7cdd7f45b1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -314,7 +314,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many
- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
```powershell
- manage-bde –protectors –get C:
+ manage-bde -protectors -get C:
```
>**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
index 5ab13673ea..226acb2e7c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker Key Management FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
index b137b40f9c..153be07099 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker Network Unlock FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 211775fd9d..2962d7533b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker Security FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index 6cc8628157..e8bd11f12b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker To Go FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Learn more about BitLocker To Go — BitLocker drive encryption for removable drives.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index ddefee9d0c..7873e99c18 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker Upgrading FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index 5d1da751a8..0aebf543c2 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -1,6 +1,6 @@
---
title: Using BitLocker with other programs FAQ (Windows 10)
-description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
+description: Learn how to integrate BitLocker with other software on your device.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 8f99d1e45e..e2ae8c85e5 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -1,6 +1,6 @@
---
title: TPM fundamentals (Windows 10)
-description: This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index cbb074f9fa..60283edd89 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -1,6 +1,6 @@
---
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
-description: How unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) networking policies, app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
+description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
keywords: WIP, Enterprise Data Protection, EDP, Windows Information Protection, unenlightened apps, enlightened apps
ms.prod: w10
ms.mktglfcycl: explore
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 0d7d91e071..78edc9a59e 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -1,6 +1,6 @@
---
title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
-description: How to collect and understand your Windows Information Protection audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices only).
+description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 8c73819a8e..6c672171ac 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -1,6 +1,6 @@
---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
-description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
+description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
keywords: WIP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 8f850eed95..b3f555bb13 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
-description: The Azure portal for Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, supporting mobile device management (MDM), to let you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -30,7 +30,7 @@ You can create an app protection policy in Intune either with device enrollment
- MAM has additional **Access** settings for Windows Hello for Business.
- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device.
-- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
+- MAM requires an [Azure Active Directory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
- MAM supports only one user per device.
- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
@@ -40,7 +40,7 @@ You can create an app protection policy in Intune either with device enrollment
## Prerequisites
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
+Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
## Configure the MDM or MAM provider
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 61ce1a5f3b..2e4f0f0749 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -1,6 +1,6 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
-description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 93a5d00470..37be2ff41c 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -1,6 +1,6 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
-description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
+description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index f9e51d4cb9..576fe7cf71 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -1,6 +1,6 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
-description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 6b736fd281..27d3f1d9c9 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -1,6 +1,6 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
-description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
+description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list
ms.prod: w10
ms.mktglfcycl: explore
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
index 40ab9e148d..e8ad475fda 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
@@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
-description: System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+description: System Center Configuration Manager helps you create & deploy your enterprise data protection (WIP) policy.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 8905cdb7b4..3338a0ebab 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
-description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: w10
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 62403b8b81..fc2050b5d2 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -1,6 +1,6 @@
---
title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
-description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
+description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, DLP, data loss prevention, data leakage protection
@@ -59,7 +59,7 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index b11eab1f7d..c3e7e88640 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -35,7 +35,7 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
|-----------------------------|---------------------------------------------------------------------|
|Office 365 for Business |
contoso.sharepoint.com
contoso-my.sharepoint.com
contoso-files.sharepoint.com
tasks.office.com
protection.office.com
meet.lync.com
teams.microsoft.com
|
|Yammer |
www.yammer.com
yammer.com
persona.yammer.com
|
-|Outlook Web Access (OWA) |attachments.office.net |
+|Outlook Web Access (OWA) |
outlook.office.com
outlook.office365.com
attachments.office.net
|
|Microsoft Dynamics |contoso.crm.dynamics.com |
|Visual Studio Online |contoso.visualstudio.com |
|Power BI |contoso.powerbi.com |
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 5bb338c311..7679c60ed8 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -9,8 +9,8 @@ ms.mktglfcycl:
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: LauraWi
-ms.author: laurawi
+author: cabailey
+ms.author: cabailey
manager: laurawi
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 403e6ddf69..8c4e3bb357 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -42,6 +42,7 @@
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
@@ -114,21 +115,21 @@
#### [Advanced hunting schema reference]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
-##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
-##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
-##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
-##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
-##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
-##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
-##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
-##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
-##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
+##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
+##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
+##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
+##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
+##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
+##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
+##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
+##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
+##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
+#### [Stream advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@@ -448,13 +449,6 @@
#### [Common Vulnerabilities and Exposures (CVE) to KB map]()
##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
-#### [API for custom alerts (Deprecated)]()
-##### [Use the threat intelligence API to create custom alerts (Deprecated)](microsoft-defender-atp/use-custom-ti.md)
-##### [Create custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/custom-ti-api.md)
-##### [PowerShell code examples (Deprecated)](microsoft-defender-atp/powershell-example-code.md)
-##### [Python code examples (Deprecated)](microsoft-defender-atp/python-example-code.md)
-##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
-##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
#### [Pull detections to your SIEM tools]()
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
@@ -466,7 +460,8 @@
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()
-##### [Create and build Power BI reports using Microsoft Defender ATP data](microsoft-defender-atp/powerbi-reports.md)
+##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
+##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 9270164aec..7c55d51d21 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -1,6 +1,6 @@
---
title: Advanced security audit policies (Windows 10)
-description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
+description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index e559dc6001..f15fee7c4d 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -1,6 +1,6 @@
---
title: Apply a basic audit policy on a file or folder (Windows 10)
-description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
+description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 34e1304ce4..1ea3e878e6 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -1,6 +1,6 @@
---
title: Audit Account Lockout (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
+description: The policy setting, Audit Account Lockout, enables you to audit security events generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index 72a5aecec7..b594ba40ca 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -1,6 +1,6 @@
---
title: Audit Application Generated (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
+description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 96f7a50301..8dce282dfa 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -1,6 +1,6 @@
---
title: Audit Application Group Management (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
+description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index 8f4d1d0d23..376cab2bcf 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -1,6 +1,6 @@
---
title: Audit Audit Policy Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
+description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 8020663eb5..4a6f754c01 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -1,6 +1,6 @@
---
title: Audit Authentication Policy Change (Windows 10)
-description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
+description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index af4339ce53..bb4d048a5f 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -1,6 +1,6 @@
---
title: Audit Authorization Policy Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
+description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index 061105bbac..f655b5d8c6 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -1,6 +1,6 @@
---
title: Audit Central Access Policy Staging (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
+description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 4214420b03..a1e50c1538 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -1,6 +1,6 @@
---
title: Audit Certification Services (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
+description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index d0d902a868..ab838fd042 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -1,6 +1,6 @@
---
title: Audit Computer Account Management (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
+description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index feac5d138b..9ce3b5aa5b 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -1,6 +1,6 @@
---
title: Audit Credential Validation (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
+description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 2b345207d2..859859fc2b 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -1,6 +1,6 @@
---
title: Audit Detailed Directory Service Replication (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
+description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 41ed83320d..69a9d636c7 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -1,6 +1,6 @@
---
title: Audit Detailed File Share (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
+description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index ae15d23652..0a13f90a87 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -1,6 +1,6 @@
---
title: Audit Directory Service Access (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
+description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (ADA DS) object is accessed.
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index 4110cd1ec6..1a962ee86f 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -1,6 +1,6 @@
---
title: Audit Directory Service Changes (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS).
+description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index 06737f9521..dffea817d4 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -1,6 +1,6 @@
---
title: Audit Directory Service Replication (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
+description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 0c779c954f..2bacdbe3a1 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -1,6 +1,6 @@
---
title: Audit Distribution Group Management (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
+description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 835e1fd7f3..fc94d79d95 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -1,6 +1,6 @@
---
title: Audit DPAPI Activity (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
+description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls to the data protection application interface (DPAPI) generate audit events.
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 512ae2084a..ccab879b4f 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -1,6 +1,6 @@
---
title: Audit File Share (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
+description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index fe21575b2b..57ea7bc917 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -1,6 +1,6 @@
---
title: Audit File System (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
+description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 734f231b24..52475e4276 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -1,6 +1,6 @@
---
title: Audit Filtering Platform Connection (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
+description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index b953cf56c0..bdaff33b06 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -1,6 +1,6 @@
---
title: Audit Filtering Platform Packet Drop (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
+description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index c82bbebd49..4103970aa4 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -1,6 +1,6 @@
---
title: Audit Filtering Platform Policy Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
+description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 18b2e9556d..e9047b6c8a 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -1,6 +1,6 @@
---
title: Audit Group Membership (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
+description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 3802d34249..64fd2edce2 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -1,6 +1,6 @@
---
title: Audit Handle Manipulation (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
+description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 0f0a9fa7b5..d396f0ed40 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -1,6 +1,6 @@
---
title: Audit IPsec Driver (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
+description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index af3502ddce..37421d3b3e 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -1,6 +1,6 @@
---
title: Audit IPsec Extended Mode (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
+description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index d4aa3ebf77..bf2db28b53 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -1,6 +1,6 @@
---
title: Audit IPsec Main Mode (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
+description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 54e46c85cd..290c41687a 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -1,6 +1,6 @@
---
title: Audit IPsec Quick Mode (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
+description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index d28314643d..529003459d 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -1,6 +1,6 @@
---
title: Audit Kerberos Authentication Service (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
+description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index f8bacdd852..27a1d4a933 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -1,6 +1,6 @@
---
title: Audit Kerberos Service Ticket Operations (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
+description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 44049a109f..60f0a374d8 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -1,6 +1,6 @@
---
title: Audit Kernel Object (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
+description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 45e9abeb45..c4d6606795 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -1,6 +1,6 @@
---
title: Audit Logoff (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
+description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index 3742607eba..711c16301c 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -1,6 +1,6 @@
---
title: Audit Logon (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
+description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index 25e29659e8..d58bafa0de 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -1,6 +1,6 @@
---
title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
+description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 6d7eaac005..697ae99b16 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -1,6 +1,6 @@
---
title: Audit Network Policy Server (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
+description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index edbcb2555d..959a951636 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Account Logon Events (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
+description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index cd054ab132..2795a0bb73 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Account Management Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
+description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index b10a5106ba..9265129828 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Logon/Logoff Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
+description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 3bfc786df1..54b132e114 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Object Access Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
+description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index e156529bf1..2ceacf7bd7 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other Policy Change Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
+description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 839166429b..314723a738 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -1,6 +1,6 @@
---
title: Audit Other System Events (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
+description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 6e2ce1aa93..2d1298584a 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -1,6 +1,6 @@
---
title: Audit PNP Activity (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
+description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 8532644095..2eb2aa20f8 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -1,6 +1,6 @@
---
title: Audit Process Creation (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
+description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 3943542ccf..7ba49fbd59 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -1,6 +1,6 @@
---
title: Audit Process Termination (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
+description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index fe4cd66839..4b0d88838f 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -1,6 +1,6 @@
---
title: Audit Registry (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
+description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index 96314fa0bd..82d5170b7c 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -1,6 +1,6 @@
---
title: Audit Removable Storage (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
+description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index f35fb87e98..b35eacaf51 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -1,6 +1,6 @@
---
title: Audit RPC Events (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
+description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 10c0796852..6e60284ead 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -1,6 +1,6 @@
---
title: Audit SAM (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
+description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 710f45b4ae..d75b85e522 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -1,6 +1,6 @@
---
title: Audit Security Group Management (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
+description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index f002a9938a..c10e8072f7 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -1,6 +1,6 @@
---
title: Audit Security State Change (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
+description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 3d2beb88d0..50dcccadde 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -1,6 +1,6 @@
---
title: Audit Security System Extension (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
+description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated.
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index ac5edaec4a..3bdb900b00 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -1,6 +1,6 @@
---
title: Audit Sensitive Privilege Use (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
+description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used.
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index cae080c72b..ec7e84c990 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -1,6 +1,6 @@
---
title: Audit Special Logon (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
+description: The Advanced Security Audit policy setting, Audit Special Logon, determines if audit events are generated under special sign in (or logon) circumstances.
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
ms.reviewer:
manager: dansimp
@@ -37,9 +37,9 @@ This subcategory allows you to audit events generated by special logons such as
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature. At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 606b78493e..89d27ff3cb 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -1,6 +1,6 @@
---
title: Audit System Integrity (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
+description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 25d5f2620c..5b2d45cc98 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -1,6 +1,6 @@
---
title: Audit User Account Management (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
+description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed.
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 55da915b55..74c7755cb8 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -1,6 +1,6 @@
---
title: Audit User/Device Claims (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
+description: Audit User/Device Claims is an audit policy setting which enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 438dd850c9..b6b09ddae8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,6 +1,6 @@
---
title: Audit object access (Windows 10)
-description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
+description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.reviewer:
ms.author: dansimp
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 505106fe5e..4ab122d7f1 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -154,3 +154,69 @@ For 4716(S): Trusted domain information was modified.
- Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
+## Anonymous Logon account
+
+If the account reported in the event is **Anonymous Logon**, it means the password is changed by system automatic password reset. For example:
+
+```
+Log Name: Security
+Source: Microsoft-Windows-Security-Auditing
+Date:
-
- **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
-
- 
-
- **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
-
- 
-
- **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
-
->[!IMPORTANT]
->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
-
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
-
- 
-
- **Figure 5. Connect to work or school configuration in Settings**
-
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
-
- 
-
- **Figure 6. Set up a work or school account**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
-
- 
-
- **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-### Step 2: Pro edition activation
-
->[!IMPORTANT]
->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-
-
-
-Figure 7a - Windows 10 Pro activation in Settings
-
-Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
-
-
-### Step 3: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
-
-
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 4: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
-
-
-
-**Figure 9 - Windows 10 Enterprise subscription in Settings**
-
-
-If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
->[!NOTE]
->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
->Name: Windows(R), Professional edition
->Description: Windows(R) Operating System, RETAIL channel
->Partial Product Key: 3V66T
-
-## Virtual Desktop Access (VDA)
-
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
-
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
-
-- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
-
-- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
-
-- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
-
-- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
-
-- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
-
-
-
-
-Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings
-
-
-
-
-Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings
-
-
-
-
-Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings
-
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure Active Directory joined:**
-
-1. Open a command prompt and type **dsregcmd /status**.
-
-2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
-
-**To determine the version of Windows 10:**
-
-- At a command prompt, type:
- **winver**
-
- A popup window will display the Windows 10 version number and detailed OS build information.
-
- If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+---
+title: Deploy Windows 10 Enterprise licenses
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+ms.author: greglin
+description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 Enterprise licenses
+
+This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+
+>[!NOTE]
+>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
+>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
+
+## Firmware-embedded activation key
+
+To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
+
+```
+(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
+```
+
+If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
+
+## Enabling Subscription Activation with an existing EA
+
+If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
+
+1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
+2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
+3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
+4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
+5. The admin can now assign subscription licenses to users.
+
+>Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
+
+1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+2. Click on **Subscriptions**.
+3. Click on **Online Services Agreement List**.
+4. Enter your agreement number, and then click **Search**.
+5. Click the **Service Name**.
+6. In the **Subscription Contact** section, click the name listed under **Last Name**.
+7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
+
+Also in this article:
+- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
+- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
+
+## Active Directory synchronization with Azure AD
+
+You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
+
+You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+
+
+
+**Figure 1. On-premises AD DS integrated with Azure AD**
+
+For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+
+- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
+- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
+
+>[!NOTE]
+>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
+
+## Preparing for deployment: reviewing requirements
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+
+## Assigning licenses to users
+
+Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+
+
+
+The following methods are available to assign licenses:
+
+1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+2. You can sign in to portal.office.com and manually assign licenses:
+
+ 
+
+3. You can assign licenses by uploading a spreadsheet.
+4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
+5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
+
+## Explore the upgrade experience
+
+Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
+
+### Step 1: Join Windows 10 Pro devices to Azure AD
+
+Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+
+**To join a device to Azure AD the first time the device is started**
+
+1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.