**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like *http://share/test.ins*.
+ - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.
**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `http://share/test.ins`.
If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index cf7ec51045..65baf63d4b 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -33,11 +33,12 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide
 **To set up automatic detection for DHCP servers**
- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
-
**Examples:**
-http://www.microsoft.com/webproxy.pac
-http://marketing/config.ins
-http://123.4.567.8/account.pac
-For more detailed info about how to set up your DHCP server, see your server documentation.
+
+ **Examples:**
+ `http://www.microsoft.com/webproxy.pac`
+ `http://marketing/config.ins`
+ `http://123.4.567.8/account.pac`
+ For more detailed info about how to set up your DHCP server, see your server documentation.  **To set up automatic detection for DNS servers** diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md index bc7d4bb78f..c758d7acbf 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md @@ -20,7 +20,7 @@ Using a proxy server lets you limit access to the Internet. You can also use the 1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. 2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.
-Proxy locations that don’t begin with a protocol (like, http:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry *http://proxy*.
+Proxy locations that don’t begin with a protocol (like, http:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `http://proxy`.
3. Type the port for each service. The default value is *80*.
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index de3aee64d1..a24d50ff5c 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -54,7 +54,7 @@ If you prefer to use a graphical user interface, you can create a device account
- From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
+ From the list, select **Skype for Business Online (Plan 2)**, and then click **SAVE**. The license may vary depending on your organization (for example, you might have Plan 2, or Plan 3).
### Create a mobile device mailbox (ActiveSync) policy from the Exchange Admin Center
@@ -133,8 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
5. Finally, to connect to Exchange Online Services, run:
``` syntax
- $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
- "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
+ $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
```
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index fe97b78978..7bea0bb722 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -30,7 +30,7 @@ Initiating a reset will return the device to the last cumulative Windows update,
- Local admins on the device
- Configurations from MDM or the Settings app
-**To reset a Surface Hub**
+**To reset a Surface Hub from Settings**
1. On your Surface Hub, open **Settings**.
@@ -43,8 +43,18 @@ Initiating a reset will return the device to the last cumulative Windows update,
+**To reset a Surface Hub from Windows Recovery Environment**
+On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. If this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from Windows Recovery Environment (Windows RE). To learn more about Windows RE, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx).
+
+To reset a Surface Hub from Windows RE:
+
+1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
+2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
+3. Select **Reset**.
+4. If prompted, enter your device's BitLocker key.
+
**Important Note**
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.
@@ -53,4 +63,4 @@ After the reset, Surface Hub restarts the [first run program](first-run-program-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
-[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
\ No newline at end of file
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/images/setupdeviceaccto365-07.png b/devices/surface-hub/images/setupdeviceaccto365-07.png
index 4b4bebff94..ce0eb99af2 100644
Binary files a/devices/surface-hub/images/setupdeviceaccto365-07.png and b/devices/surface-hub/images/setupdeviceaccto365-07.png differ
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index b88d81df41..2e31b14786 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,5 +1,4 @@
-# [Windows 10 for education](index.md)
-## [Change history for Windows 10 for Education](change-history-edu.md)
+# [Windows 10 for Education](index.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
## [Setup options for Windows 10](set-up-windows-10.md)
### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
@@ -10,11 +9,12 @@
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
-### [Set up Take a Test on a single PC ](take-a-test-single-pc.md)
-### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md)
-### [Take a Test app technical reference ](take-a-test-app-technical.md)
+### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
+### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
+### [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
+### [Take a Test app technical reference](take-a-test-app-technical.md)
## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Chromebook migration guide](chromebook-migration-guide.md)
-
+## [Change history for Windows 10 for Education](change-history-edu.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 0d1c19f506..f03105f10d 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,38 +12,39 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## September 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. |
## RELEASE: Windows 10, version 1607
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Set up Windows 10](set-up-windows-10.md)
- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
-
## July 2016
-
| New or changed topic | Description|
| --- | --- |
-| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New |
-|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New |
-
-
+| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
+|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. |
## June 2016
| New or changed topic | Description |
|----------------------|-------------|
-| [Get Minecraft Education Edition](get-minecraft-for-education.md) [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New |
+| [Get Minecraft Education Edition](get-minecraft-for-education.md) [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. |
## May 2016
| New or changed topic | Description |
|----------------------|-------------|
-| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New |
-| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New |
-| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New |
+| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. |
+| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. |
+| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |
\ No newline at end of file
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |
diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md
new file mode 100644
index 0000000000..64a6208970
--- /dev/null
+++ b/education/windows/create-tests-using-microsoft-forms.md
@@ -0,0 +1,29 @@
+---
+title: Create tests using Microsoft Forms
+description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
+keywords: school, Take a Test, Microsoft Forms
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+author: CelesteDG
+---
+
+# Create tests using Microsoft Forms
+**Applies to:**
+
+- Windows 10
+
+
+For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms.
+
+To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test.
+
+Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment.
+
+[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959)
+
+
+## Related topics
+
+[Take tests in Windows 10](take-tests-in-windows-10.md)
diff --git a/education/windows/index.md b/education/windows/index.md
index 6e20c83aae..f8d54749bf 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -9,9 +9,11 @@ author: jdeckerMS
---
# Windows 10 for Education
-[Windows 10 Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
+[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
-[Find out how to get Windows 10 Education for your school.](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+[Find out how to get Windows 10 Education or Windows 10 Pro Education for your school](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+
+[Learn more about what features and functionality are supported in each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
## In this section
@@ -28,5 +30,5 @@ author: jdeckerMS
## Related topics
-- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)
+- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 6bf51bf7b2..40850cf578 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
author: jdeckerMS
---
-# Take tests in Windows 10
+# Take tests in Windows 10
**Applies to:**
- Windows 10
@@ -42,7 +42,6 @@ Many schools use online testing for formative and summative assessments. It's cr
## Related topics
+[Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
+
[Take a Test app technical reference](take-a-test-app-technical.md)
-
-
-
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 539c4da7fb..ed22802caa 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -7,7 +7,6 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
-localizationpriority: high
---
# Windows 10 editions for education customers
diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md
index 2ccfe946be..a3dce6ef96 100644
--- a/windows/deploy/activate-using-active-directory-based-activation-client.md
+++ b/windows/deploy/activate-using-active-directory-based-activation-client.md
@@ -24,8 +24,8 @@ localizationpriority: high
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 R2 or Windows Server 2012, but after the schema is updated, older domain controllers can still activate clients.
-Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
+Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients.
+Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
1. Perform one of the following tasks:
@@ -38,7 +38,7 @@ The process proceeds as follows:
**Figure 10**. The Active Directory-based activation flow
-For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
+For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 5a3eadbc33..8fb81af58a 100644
--- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -5,6 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
keywords: image, deploy, distribute
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index de701986b4..878c230d72 100644
--- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -4,6 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta
ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
keywords: deploy, task sequence
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@@ -35,13 +36,12 @@ This section will show you how to import some network and storage drivers for Wi
5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
-
+
-Figure 21. Add drivers to Windows PE.
-
-**Note**
-The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
+*Figure 21. Add drivers to Windows PE*
+>[!NOTE]
+>The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
## Add drivers for Windows 10
@@ -55,31 +55,28 @@ This section illustrates how to add drivers for Windows 10 through an example in
3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
- 
+ 
- Figure 22. Create driver categories.
+ *Figure 22. Create driver categories*
4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
- 1. Name: Windows 10 x64 - HP EliteBook 8560w
+ * Name: Windows 10 x64 - HP EliteBook 8560w
- 2. Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
-
- **Note**
- The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
+ * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
+ >[!NOTE]
+ >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
-**Note**
-If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
-
-
-
-
-
-Figure 23. Drivers imported and a new driver package created.
+ >[!NOTE]
+ >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+
+ 
+
+ *Figure 23. Drivers imported and a new driver package created*
## Related topics
diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
index 1319888616..a6e7d69377 100644
--- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
+++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md
@@ -5,6 +5,7 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
keywords: settings, database, deploy
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
index f015c71c1f..010284c04f 100644
--- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
@@ -5,6 +5,7 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
keywords: replication, replicate, deploy, configure, remote
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -76,6 +77,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
+
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
@@ -146,6 +148,7 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
+
``` syntax
(Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
index c1f827f3a7..9591616e9d 100644
--- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
@@ -4,6 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows
keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
index a94bee6b7b..c95b0fc69e 100644
--- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
+++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md
@@ -5,6 +5,7 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
keywords: rules, script
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md
index ba84efd5c1..46c1e30220 100644
--- a/windows/deploy/configure-mdt-2013-settings.md
+++ b/windows/deploy/configure-mdt-2013-settings.md
@@ -5,6 +5,7 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
keywords: customize, customization, deploy, features, tools
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md
index 5eeadbbfd6..97a448f5da 100644
--- a/windows/deploy/configure-mdt-deployment-share-rules.md
+++ b/windows/deploy/configure-mdt-deployment-share-rules.md
@@ -5,6 +5,7 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
keywords: rules, configuration, automate, deploy
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index a5cbfb7886..3d55bb7385 100644
--- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -5,6 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
keywords: tool, customize, deploy, boot image
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 0838ebde59..f259ac4131 100644
--- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -5,6 +5,7 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
keywords: deploy, upgrade, task sequence, install
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus
@@ -24,7 +25,7 @@ For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is
## Create a task sequence using the MDT Integration Wizard
-This section will walk you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
+This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
@@ -32,27 +33,27 @@ This section will walk you through the process of creating a System Center 2012
3. On the **General** page, assign the following settings and then click **Next**:
- 1. Task sequence name: Windows 10 Enterprise x64 RTM
+ * Task sequence name: Windows 10 Enterprise x64 RTM
- 2. Task sequence comments: Production image with Office 2013
+ * Task sequence comments: Production image with Office 2013
4. On the **Details** page, assign the following settings and then click **Next**:
- 1. Join a Domain
+ * Join a Domain
- 2. Domain: contoso.com
+ * Domain: contoso.com
- 1. Account: CONTOSO\\CM\_JD
+ * Account: CONTOSO\\CM\_JD
- 2. Password: Passw0rd!
+ * Password: Passw0rd!
- 3. Windows Settings
+ * Windows Settings
- 1. User name: Contoso
+ * User name: Contoso
- 2. Organization name: Contoso
+ * Organization name: Contoso
- 3. Product key: <blank>
+ * Product key: <blank>
5. On the **Capture Settings** page, accept the default settings, and click **Next**.
@@ -87,12 +88,10 @@ After you create the task sequence, we recommend that you configure the task seq
2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
- - OSDPreserveDriveLetter: True
-
- **Note**
- If you don't change this value, your Windows installation will end up in E:\\Windows.
-
-
+ * OSDPreserveDriveLetter: True
+
+ >[!NOTE]
+ >If you don't change this value, your Windows installation will end up in E:\\Windows.
3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
@@ -102,57 +101,55 @@ After you create the task sequence, we recommend that you configure the task seq
6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
- 1. Name: HP EliteBook 8560w
+ * Name: HP EliteBook 8560w
- 2. Driver Package: Windows 10 x64 - HP EliteBook 8560w
+ * Driver Package: Windows 10 x64 - HP EliteBook 8560w
- 3. Options: Task Sequence Variable: Model equals HP EliteBook 8560w
-
- **Note**
- You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-
-
-
- 
-
- Figure 24. The driver package options.
+ * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
+
+ >[!NOTE]
+ >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
+
+ 
+
+ *Figure 24. The driver package options*
7. In the **State Restore / Install Applications** group, select the **Install Application** action.
8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
- 
+ 
- Figure 25. Add an application to the Configuration Manager task sequence.
+ *Figure 25. Add an application to the Configuration Manager task sequence*
9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
- 1. Restore state from another computer
+ * Restore state from another computer
- 2. If computer account fails to connect to state store, use the Network Access account
+ * If computer account fails to connect to state store, use the Network Access account
- 3. Options: Continue on error
+ * Options: Continue on error
- 4. Options / Condition:
-
- 1. Task Sequence Variable
-
- 2. USMTLOCAL not equals True
+ * Options / Condition:
+
+ * Task Sequence Variable
+
+ * USMTLOCAL not equals True
10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
- 1. Options: Continue on error
+ * Options: Continue on error
- 2. Options / Condition:
-
- 1. Task Sequence Variable
-
- 2. USMTLOCAL not equals True
+ * Options / Condition:
+
+ * Task Sequence Variable
+
+ * USMTLOCAL not equals True
11. Click **OK**.
-**Note**
-The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
+>[!NOTE]
+>The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md
index 1f91fff47c..4954dd3dcd 100644
--- a/windows/deploy/create-a-windows-10-reference-image.md
+++ b/windows/deploy/create-a-windows-10-reference-image.md
@@ -5,6 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
keywords: deploy, deployment, configure, customize, install, installation
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -164,6 +165,7 @@ You also can customize the Office installation using a Config.xml file. But we r
If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive).
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
+
``` syntax
Import-Topic "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
@@ -173,7 +175,9 @@ If you need to add many applications, you can take advantage of the PowerShell s
In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
+
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@@ -187,6 +191,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
@@ -200,6 +205,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@@ -213,6 +219,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
@@ -226,6 +233,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@@ -239,6 +247,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
@@ -252,6 +261,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@@ -265,6 +275,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda
In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
+
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
$CommandLine = "vcredist_x64.exe /Q"
diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 5dbd28f0c8..4e7b504b13 100644
--- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -4,7 +4,9 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
keywords: deployment, task sequence, custom, customize
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
@@ -20,15 +22,13 @@ Microsoft System Center 2012 R2 Configuration Manager supports deploying applica
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-**Note**
-Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
-
-
+>[!NOTE]
+>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
## Example: Create the Adobe Reader XI application
-The steps below show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
+The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
@@ -40,17 +40,17 @@ The steps below show you how to create the Adobe Reader XI application. This sec
5. In the Create Application Wizard, on the **General** page, use the following settings:
- 1. Automatically detect information about this application from installation files
+ * Automatically detect information about this application from installation files
- 2. Type: Windows Installer (\*.msi file)
+ * Type: Windows Installer (\*.msi file)
- 3. Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
+ * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
- 4. \\AdbeRdr11000\_en\_US.msi
+ * \\AdbeRdr11000\_en\_US.msi
- 
+ 
- Figure 19. The Create Application Wizard.
+ *Figure 19. The Create Application Wizard*
6. Click **Next**, and wait while Configuration Manager parses the MSI file.
@@ -58,14 +58,12 @@ The steps below show you how to create the Adobe Reader XI application. This sec
8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
- **Note**
- Since it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
-
-
-
- 
-
- Figure 20. Add the "OSD Install" suffix to the application name.
+ >[!NOTE]
+ >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+
+ 
+
+ *Figure 20. Add the "OSD Install" suffix to the application name*
9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.
diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
index 62ff5ee44b..05f3667cb6 100644
--- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md
@@ -5,6 +5,7 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
keywords: deployment, automate, tools, configure
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -304,6 +305,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
2. CustomSettings.ini
2. Right-click the **MDT Production** deployment share and select **Properties**.
3. Select the **Rules** tab and modify using the following information:
+
``` syntax
[Settings]
Priority=Default
@@ -340,6 +342,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
SkipFinalSummary=NO
```
4. Click **Edit Bootstrap.ini** and modify using the following information:
+
``` syntax
[Settings]
Priority=Default
diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
index 2bc874cf8b..1a6a52fffb 100644
--- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -5,6 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
keywords: deployment, image, UEFI, task sequence
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index b9624a46b9..37ca1c3630 100644
--- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -4,6 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager
ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
keywords: deployment, custom, boot
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index 3fc7913c52..4963952ab4 100644
--- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,9 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: deploy, tools, configure, script
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
+localizationpriority: high
author: mtniehaus
ms.pagetype: mdt
---
diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 2ed9de7378..635e1c0291 100644
--- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -4,6 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
keywords: configure, deploy, upgrade
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@@ -27,19 +28,19 @@ This section will walk you through the process of creating the E:\\MDTProduction
1. On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
- 1. Deployment share path: E:\\MDTProduction
+ * Deployment share path: E:\\MDTProduction
- 2. Share name: MDTProduction$
+ * Share name: MDTProduction$
- 3. Deployment share description: MDT Production
+ * Deployment share description: MDT Production
- 4. Options: <default settings>
+ * Options: <default settings>
2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
-
+ 
-Figure 26. Enabling MDT monitoring for Configuration Manager.
+ *Figure 26. Enable MDT monitoring for Configuration Manager*
## Create and share the Logs folder
@@ -81,14 +82,14 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin
ApplyGPOPack=NO
```
- 
+ 
- Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment
+ *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
-**Note**
-Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
+ >[!NOTE]
+ >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
@@ -114,13 +115,13 @@ This sections provides steps to help you create a deployment for the task sequen
3. On the **Deployment Settings** page, use the following settings and then click **Next**:
- 1. Purpose: Available
+ * Purpose: Available
- 2. Make available to the following: Only media and PXE
+ * Make available to the following: Only media and PXE
- 
-
- Figure 28. Configure the deployment settings.
+ 
+
+ *Figure 28. Configure the deployment settings*
4. On the **Scheduling** page, accept the default settings and click **Next**.
@@ -130,9 +131,9 @@ This sections provides steps to help you create a deployment for the task sequen
7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
-
+ 
-Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE.
+ *Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
## Configure Configuration Manager to prompt for the computer name during deployment (optional)
@@ -145,20 +146,18 @@ This section provides steps to help you configure the All Unknown Computers coll
2. In the **Collection Variables** tab, create a new variable with the following settings:
- 1. Name: OSDComputerName
+ * Name: OSDComputerName
- 2. Clear the **Do not display this value in the Configuration Manager console** check box.
+ * Clear the **Do not display this value in the Configuration Manager console** check box.
3. Click **OK**.
-**Note**
-Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
-
-
-
-
-
-Figure 30. Configure a collection variable.
+ >[!NOTE]
+ >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
+
+ 
+
+ *Figure 30. Configure a collection variable*
## Related topics
diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
index 4ef176092a..33998a9cbe 100644
--- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
@@ -5,6 +5,7 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: deploy, image, feature, install, tools
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/images/convert.png b/windows/deploy/images/convert.png
new file mode 100644
index 0000000000..224e763bc0
Binary files /dev/null and b/windows/deploy/images/convert.png differ
diff --git a/windows/deploy/images/download_vhd.png b/windows/deploy/images/download_vhd.png
new file mode 100644
index 0000000000..248a512040
Binary files /dev/null and b/windows/deploy/images/download_vhd.png differ
diff --git a/windows/deploy/images/installing-drivers.png b/windows/deploy/images/installing-drivers.png
new file mode 100644
index 0000000000..22d7808fad
Binary files /dev/null and b/windows/deploy/images/installing-drivers.png differ
diff --git a/windows/deploy/images/svr_mgr2.png b/windows/deploy/images/svr_mgr2.png
new file mode 100644
index 0000000000..dd2e6737c6
Binary files /dev/null and b/windows/deploy/images/svr_mgr2.png differ
diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
index 4a30f0f74c..149ba5e250 100644
--- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
+++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md
@@ -5,6 +5,7 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.pagetype: mdt
keywords: deploy, image, customize, task sequence
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@@ -28,6 +29,7 @@ When MDT is integrated with Configuration Manager, the task sequence takes addit
The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
``` syntax
[Settings]
Priority=Model
@@ -35,6 +37,7 @@ The task sequence uses instructions that allow you to reduce the number of task
Packages001=PS100010:Install HP Hotkeys
```
- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
``` syntax
[Settings]
Priority= ByLaptopType, ByDesktopType
diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md
index 608ad3a059..0264a106c0 100644
--- a/windows/deploy/key-features-in-mdt-2013.md
+++ b/windows/deploy/key-features-in-mdt-2013.md
@@ -5,6 +5,7 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
keywords: deploy, feature, tools, upgrade, migrate, provisioning
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md
index d51d5bece9..2234092338 100644
--- a/windows/deploy/mdt-2013-lite-touch-components.md
+++ b/windows/deploy/mdt-2013-lite-touch-components.md
@@ -5,6 +5,7 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
keywords: deploy, install, deployment, boot, log, monitor
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
index 12aae5a28c..a2caee8ea8 100644
--- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
@@ -5,6 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
keywords: deploy, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
@@ -24,32 +25,28 @@ To monitor an operating system deployment conducted through System Center 2012 R
1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
- **Note**
- It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
+ >[!NOTE]
+ >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
-
-
- 
-
- Figure 33. PC0001 being deployed by Configuration Manager.
+ 
+
+ *Figure 33. PC0001 being deployed by Configuration Manager*
2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
3. The task sequence will now run and do the following:
- 1. Install the Windows 10 operating system.
+ * Install the Windows 10 operating system.
- 2. Install the Configuration Manager client and the client hotfix.
+ * Install the Configuration Manager client and the client hotfix.
- 3. Join the machine to the domain.
-
- 4. Install the application added to the task sequence.
-
- **Note**
- You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
-
-
+ * Join the machine to the domain.
+ * Install the application added to the task sequence.
+
+ >[!NOTE]
+ >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+
4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
## Related topics
diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
index 69e87bd76e..637b6aaaca 100644
--- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
+++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
@@ -5,6 +5,7 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
keywords: deploy, system requirements
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index d389eb884d..499573e6a0 100644
--- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -4,7 +4,9 @@ description: This topic will walk you through the process of integrating Microso
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
keywords: install, configure, deploy, deployment
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md
index 783c3697b6..2a918f8202 100644
--- a/windows/deploy/provision-pcs-with-apps-and-certificates.md
+++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md
@@ -76,9 +76,17 @@ Universal apps that you can distribute in the provisioning package can be line-o
-5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- 
+ - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
+
+ 
+
+ - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
+
+6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
+
+7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *
+ - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx).
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@@ -52,4 +52,4 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
```
-For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
index 1884657372..3ce58f23ac 100644
--- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
@@ -141,21 +141,29 @@ To enroll a certificate from an existing certification authority (CA), do the fo
2. Select **Yes, export the private key**.
3. Complete the wizard to create the .pfx file.
-To create a self-signed certificate, do the following:
+To create a self-signed certificate, you can either use the New-SelfSignedCertificate cmdlet in Windows PowerShell or use Certreq.
-1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
+Windows PowerShell example:
+
+```syntax
+New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
+```
+
+Certreq example:
+
+1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf.
2. Add the following contents to the previously created file:
``` syntax
[NewRequest]
Subject="CN=BitLocker Network Unlock certificate"
ProviderType=0
+ MachineKeySet=True
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
- KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
+ KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
KeyLength=2048
- Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
@@ -171,16 +179,16 @@ To create a self-signed certificate, do the following:
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
-4. Verify the previous command properly created the certificate by confirming the .cer file exists
-5. Launch the Certificate Manager by running **certmgr.msc**
-6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
+4. Verify the previous command properly created the certificate by confirming the .cer file exists.
+5. Launch Certificates - Local Machine by running **certlm.msc**.
+6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### Step Five: Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
-2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**
+2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**.
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
@@ -190,21 +198,21 @@ With certificate and key deployed to the WDS server for Network Unlock, the fina
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
-1. Open Group Policy Management Console (gpmc.msc)
-2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
-3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+1. Open Group Policy Management Console (gpmc.msc).
+2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
+3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
The following steps describe how to deploy the required Group Policy setting:
>**Note:** The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
-1. Copy the .cer file created for Network Unlock to the domain controller
-2. On the domain controller, launch Group Policy Management Console (gpmc.msc)
+1. Copy the .cer file created for Network Unlock to the domain controller.
+2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
-4. Deploy the public certificate to clients
+4. Deploy the public certificate to clients:
- 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
- 2. Right-click the folder and choose **Add Network Unlock Certificate**
+ 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
+ 2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier.
>**Note:** Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
@@ -213,16 +221,16 @@ The following steps describe how to deploy the required Group Policy setting:
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
-1. Open Group Policy Management Console (gpmc.msc)
-2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
-3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+1. Open Group Policy Management Console (gpmc.msc).
+2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
+3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
-2. Locate the User template. Right-click the template name and select **Duplicate Template**
+2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
@@ -238,9 +246,9 @@ The following steps detail how to create a certificate template for use with Bit
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
+16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@@ -320,8 +328,8 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
In the right pane, click **Enable Log**.
2. The DHCP subnet configuration file (if one exists).
-3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
-4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address
+3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell.
+4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address.
## Configure Network Unlock Group Policy settings on earlier versions
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 4394da8ab8..5de6b76a7a 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,6 +12,13 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## September 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
+
## August 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
index 51c6a67f78..65dcdf6805 100644
--- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
@@ -17,7 +17,7 @@ localizationpriority: high
- Azure Active Directory
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index cb5fb08c28..614004d2dc 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 0dc00ad4ef..731d00b2c5 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -17,7 +17,7 @@ localizationpriority: high
- Group Policy
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -34,7 +34,7 @@ localizationpriority: high
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
@@ -61,7 +61,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
-2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+2. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
@@ -88,7 +88,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 04ba717eb7..3b4fddffaf 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -16,18 +16,18 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
-For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Configure endpoints using Microsoft Intune
-For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index c7493e5656..8faa5dafdb 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -45,9 +45,9 @@ You can use System Center Configuration Manager’s existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
@@ -72,7 +72,7 @@ Possible values are:
The default value in case the registry key doesn’t exist is 1.
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
### Offboard endpoints
@@ -90,9 +90,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
@@ -128,7 +128,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState”
Value: “1”
```
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index bc8fe33b4f..a2643013c6 100644
--- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
index fd3f14562f..18864595b3 100644
--- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 18dff61270..5aaa60e929 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -17,7 +17,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
index 75a1c0f0a0..f8f22a049a 100644
--- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index 8033431e7e..60e1c00469 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 4f1cf1dfd9..06392494c0 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -77,7 +77,7 @@ It's possible that you might revoke data from an unenrolled device only to later
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
- `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
+ `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
@@ -87,7 +87,7 @@ It's possible that you might revoke data from an unenrolled device only to later
3. Have your employee sign in to the unenrolled device, and type:
- `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
+ `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
4. Ask the employee to lock and unlock the device.
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index bebd3a0cdb..8192f42f7f 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -87,7 +87,7 @@ Threats are considered "active" if there is a very high probability that the mal
Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> [!NOTE]
-> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
### Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
index 715979e936..ad99762845 100644
--- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -16,14 +16,15 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE]
-> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
+> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
## What data does Windows Defender ATP collect?
@@ -31,7 +32,7 @@ Microsoft will collect and store information from your configured endpoints in a
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
-Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
+Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index 84d052ec72..e3df30dc93 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender
diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index a071720d2c..e61e798a6f 100644
--- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -25,6 +25,7 @@ This topic includes the following sections:
- [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
- [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
+- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
## Overview of the process of creating code integrity policies
@@ -97,8 +98,18 @@ Table 3. Code integrity policy - file rule levels
> **Note** When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+## Example of file rule levels in use
+
+For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
+
+To create the code integrity policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge code integrity policies into the original policy to allow that additional software to run. Then they enable the code integrity policy in enforced mode for their servers.
+
+As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their code integrity policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the code integrity policy so that the hash in the policy matches the hash of the updated internal application.
+
+They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by code integrity policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
+
+
## Related topics
- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats)
- [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
-
diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md
index 643a78aa1c..466562cc90 100644
--- a/windows/keep-secure/dynamic-access-control.md
+++ b/windows/keep-secure/dynamic-access-control.md
@@ -16,7 +16,7 @@ This overview topic for the IT professional describes Dynamic Access Control and
Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
-For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS).
+For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/windows-server-docs/identity/solution-guides/dynamic-access-control--scenario-overview).
Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
index 353acce55b..9793cfc53f 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -62,7 +62,6 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Product name |App info |
|-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
-|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
@@ -71,8 +70,9 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
-|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** onedrive.exe
**App Type:** Desktop app|
-|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
-|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
\ No newline at end of file
+|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
+|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
+|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app|
+|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
\ No newline at end of file
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index 4c51d1c44f..cdde9f9522 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -18,12 +18,12 @@ localizationpriority: high
- Event Viewer
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 23ecf47c6e..b9e72308cc 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -20,9 +20,13 @@ localizationpriority: high
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
+>
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>
+>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
-## Group Policy settings for Windows Hello for Businness
+## Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
index 893a914547..ef95089b35 100644
--- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
index cab6e62c2d..4e52c15a2e 100644
--- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index fee3265cce..51e68f1fee 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -67,7 +67,7 @@ In the file's page, **Submit for deep analysis** is enabled when the file is ava
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
-You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
index dc852cb406..381ee7be12 100644
--- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index 561daeebdd..fb34c03d1f 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -40,7 +40,7 @@ The Machines view contains the following columns:
- **Active malware detections** - the number of active malware detections reported by the machine
> [!NOTE]
-> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
Click any column header to sort the view in ascending or descending order.
diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
index 9e115b6e6f..d707f81431 100644
--- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 32e4420124..8fa747d356 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -36,7 +36,7 @@ When you run the onboarding wizard for the first time, you must choose where you
The Windows Defender ATP agent only supports the following editions of Windows 10:
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
diff --git a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
index a462835906..2f8775683c 100644
--- a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
+++ b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
- redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
+ redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
---
# Monitor the Windows Defender Advanced Threat Protection onboarding
-This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
\ No newline at end of file
+This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
\ No newline at end of file
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
index b584f2eb7b..9205bb0153 100644
--- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
index 0bd61f269b..f0ae686b47 100644
--- a/windows/keep-secure/overview-create-wip-policy.md
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -23,4 +23,4 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
|------|------------|
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
\ No newline at end of file
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
\ No newline at end of file
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
index 0e1ec374bc..0790236e3f 100644
--- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -16,7 +16,7 @@ author: brianlic-msft
This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
-**Planning**
+## Planning
1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
@@ -33,7 +33,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
-**Getting started on the deployment process**
+## Getting started on the deployment process
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index 9d6334217d..8c9f2086ff 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -39,7 +39,7 @@ When you open the portal, you’ll see the main areas of the application:
> [!NOTE]
-> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
index 4b5dd38660..a5df900c1d 100644
--- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 0714fff961..acf27319d7 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -84,7 +84,7 @@ For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://resear
## Is there any importance for TPM for consumer?
-For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
## TPM 2.0 Compliance for Windows 10
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index a88d28abcf..7e351ee5aa 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -86,9 +86,9 @@ If none of the event logs and troubleshooting steps work, download the Local scr
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
-0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key.
- | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 770c693912..150079eaff 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
index c60ccfbea9..5973f94f6f 100644
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -23,7 +23,7 @@ The TPM Services Group Policy settings are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
| Setting | Windows 10, version 1607 | Windows 10, version 1511 and Windows 10, version 1507 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista |
-| - | - | - | - | - | - |
+| - | - | - | - | - | - | - |
| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | | X| X| X| X| X|
| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| X|
| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| X|
@@ -32,21 +32,28 @@ The TPM Services Group Policy settings are located at:
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
-
+
### Turn on TPM backup to Active Directory Domain Services
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
->**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
-
+>[!NOTE]
+>This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+
TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
->**Important:** To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
+>[!IMPORTANT]
+>To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
+>[!NOTE]
+> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
+
+
### Configure the list of blocked TPM commands
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
index 6be25ce91e..2f238a4d6d 100644
--- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index f06de01862..4d3345f8a1 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -16,11 +16,11 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
-- Windows 10 Enterprise for Education
+- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
->For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
+>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md
index ca6912ebd6..b99eb36f43 100644
--- a/windows/manage/appv-application-publishing-and-client-interaction.md
+++ b/windows/manage/appv-application-publishing-and-client-interaction.md
@@ -245,7 +245,7 @@ Before an application can access the package registry data, the App-V Client mus
When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at `%ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat`. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time.
-**Registry.dat from Package Store ** > **%ProgramData%\Microsoft\AppV\Client\Vreg\{VersionGuid}.dat**
+**Registry.dat from Package Store** > **%ProgramData%\Microsoft\AppV\Client\Vreg\\{VersionGuid}.dat**
When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation.
@@ -387,7 +387,7 @@ Packages can be explicitly loaded using the Windows PowerShell `Mount-AppVClient
### Streaming packages
-The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MAcHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming:
+The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming: