diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index 49b0f51d45..a77cf5850f 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -33,7 +33,7 @@ You should fill out one list for each Surface Hub you need to configure, althoug
If your network uses a proxy for network and/or Internet access, you must provide a script or server/port information.
- Proxy script: http://contoso/proxy.pa
+ Proxy script: http://contoso/proxy.pa
- OR -
Server and port info: 10.10.10.100, port 80
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 07d07e34a6..eff3b9bb69 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -1,21 +1,25 @@
# [Surface](index.md)
-## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
-## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
+## [Deploy Surface devices](deploy.md)
+### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
+### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
+### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
+### [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
+### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
+#### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
+#### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
+## [Surface firmware and driver updates](update.md)
+### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
+### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
+### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
+### [Surface Dock Updater](surface-dock-updater.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
-## [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
-## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
-## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
-## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
-## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
-## [Surface Data Eraser](microsoft-surface-data-eraser.md)
-## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
-### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
-## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
-## [Surface Dock Updater](surface-dock-updater.md)
+### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
-## [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
+## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
+## [Surface Data Eraser](microsoft-surface-data-eraser.md)
+
diff --git a/devices/surface/advanced-uefi-security-features-for-surface.md b/devices/surface/advanced-uefi-security-features-for-surface.md
new file mode 100644
index 0000000000..9c6edd4717
--- /dev/null
+++ b/devices/surface/advanced-uefi-security-features-for-surface.md
@@ -0,0 +1,3 @@
+---
+redirect_url: https://technet.microsoft.com/itpro/surface/advanced-uefi-security-features-for-surface-pro-3
+---
\ No newline at end of file
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
new file mode 100644
index 0000000000..517aca2f0b
--- /dev/null
+++ b/devices/surface/deploy.md
@@ -0,0 +1,43 @@
+---
+title: Deploy Surface devices (Surface)
+description: Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Deploy Surface devices
+
+Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
+| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
+| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
+| [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.|
+| [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
+
+
+
+
+
+## Related topics
+
+
+[Surface TechCenter](https://technet.microsoft.com/windows/surface)
+
+[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/images/using-sda-driverfiles-fig1.png b/devices/surface/images/using-sda-driverfiles-fig1.png
new file mode 100644
index 0000000000..51244bfe16
Binary files /dev/null and b/devices/surface/images/using-sda-driverfiles-fig1.png differ
diff --git a/devices/surface/images/using-sda-installcommand-fig2.png b/devices/surface/images/using-sda-installcommand-fig2.png
new file mode 100644
index 0000000000..61a4fbd1f2
Binary files /dev/null and b/devices/surface/images/using-sda-installcommand-fig2.png differ
diff --git a/devices/surface/images/using-sda-newinstall-fig3.png b/devices/surface/images/using-sda-newinstall-fig3.png
new file mode 100644
index 0000000000..ff18b67e3e
Binary files /dev/null and b/devices/surface/images/using-sda-newinstall-fig3.png differ
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 20b688e39b..1b70df3e57 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -2,6 +2,7 @@
title: Surface (Surface)
description:
ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
+localizationpriority: high
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
@@ -12,96 +13,28 @@ author: heatherpoulsen
# Surface
-## Purpose
-
-
This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface).
## In this section
+| Topic | Description |
+| --- | --- |
+| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
+| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
+| [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
+| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
+| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
+| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
+| [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
+| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) |
-Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. |
-
-
-[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) |
-Walk through the process of customizing the Surface out-of-box experience for end users in your organization. |
-
-
-[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) |
-Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
-
-
-[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) |
-Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit. |
-
-
-[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) |
-Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. |
-
-
-[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) |
-Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
-
-
-[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md) |
-Get guidance and answers to help you perform a network deployment to Surface devices. |
-
-
-[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) |
-Read about the different methods you can use to manage the process of Surface Dock firmware updates. |
-
-
-[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) |
-Explore the available options to manage firmware and driver updates for Surface devices. |
-
-
-[Manage Surface UEFI settings](manage-surface-uefi-settings.md) |
-Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
-
-
-[Surface Data Eraser](microsoft-surface-data-eraser.md) |
-Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
-
-
-[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) |
-See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
-
-
-[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) |
-Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
-
-
-[Surface Dock Updater](surface-dock-updater.md) |
-Get a detailed walkthrough of Microsoft Surface Dock Updater. |
-
-
-[Surface Enterprise Management Mode](surface-enterprise-management-mode.md) |
-See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
- |
-
-
-[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) |
-Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
-
-
-
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 246334a4d4..a34215254f 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -14,7 +14,8 @@ author: miladCA
Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings.
->**Note:** Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
+>[!NOTE]
+>Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot.
@@ -137,3 +138,7 @@ Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as sh
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
+
+## Related topics
+
+[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
\ No newline at end of file
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 169358ad9a..9c4d792a9d 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -115,6 +115,10 @@ This version is the original release of SDA. This version of SDA includes suppor
* Windows 8.1
-
+## Related topics
+
+[Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
+
+[Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 981d6dae06..3361d3002c 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -13,7 +13,8 @@ author: jobotto
Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
->**Note**: SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).
+>[!NOTE]
+>SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
@@ -25,7 +26,8 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i
*Figure 1. Microsoft Surface UEFI Configurator*
->**Note**: Windows 10 is required to run Microsoft Surface UEFI Configurator
+>[!NOTE]
+>Windows 10 is required to run Microsoft Surface UEFI Configurator
You can use the Microsoft Surface UEFI Configurator tool in three modes:
@@ -36,7 +38,7 @@ You can use the Microsoft Surface UEFI Configurator tool in three modes:
#### Download Microsoft Surface UEFI Configurator
-You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
### Configuration package
@@ -48,7 +50,8 @@ Surface UEFI configuration packages are the primary mechanism to implement and m
See the [Surface Enterprise Management Mode certificate requirements](#surface-enterprise-management-mode-certificate-requirements) section of this article for more information about the requirements for the SEMM certificate.
->**Note**: You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
+>[!NOTE]
+>You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
@@ -85,7 +88,8 @@ You can configure the following advanced settings with SEMM:
* Display of the Surface UEFI **Devices** page
* Display of the Surface UEFI **Boot** page
->**Note**: When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
+>[!NOTE]
+>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
@@ -113,11 +117,13 @@ In some scenarios, it may be impossible to use a Surface UEFI reset package. (Fo
When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM.
->**Note**: A Reset Request expires two hours after it is created.
+>[!NOTE]
+>A Reset Request expires two hours after it is created.
## Surface Enterprise Management Mode certificate requirements
->**Note**: The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
+>[!NOTE]
+>The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to modify the settings of UEFI. The following settings are recommended for the SEMM certificate:
@@ -132,8 +138,9 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi
It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI) architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate revocation. For more information about a two-tier PKI configuration, see [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348).
->**Note**: You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
- To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.
The certificate generated by this script is not recommended for production environments.
+>[!NOTE]
+>You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
+ > To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.
The certificate generated by this script is not recommended for production environments.
```
if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
@@ -160,4 +167,11 @@ $TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\Te
For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required.
->**Note**: For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
+>[!NOTE]
+>For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
+
+## Related topics
+
+[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
+
+[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
\ No newline at end of file
diff --git a/devices/surface/update.md b/devices/surface/update.md
new file mode 100644
index 0000000000..3e00c77e71
--- /dev/null
+++ b/devices/surface/update.md
@@ -0,0 +1,38 @@
+---
+title: Surface firmware and driver updates (Surface)
+description: Find out how to download and manage the latest firmware and driver updates for your Surface device.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: heatherpoulsen
+---
+
+# Surface firmware and driver updates
+
+Find out how to download and manage the latest firmware and driver updates for your Surface device.
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
+| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
+| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|
+| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
+
+
+## Related topics
+
+[Surface TechCenter](https://technet.microsoft.com/windows/surface)
+
+[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
+
+
+
+
+
+
+
+
+
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
new file mode 100644
index 0000000000..043150076c
--- /dev/null
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -0,0 +1,163 @@
+---
+title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface)
+description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications.
+keywords: deploy, install, automate, deployment solution
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: Scottmca
+---
+
+# Using the Microsoft Surface Deployment Accelerator deployment share
+
+With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
+
+For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/en-us/itpro/surface/microsoft-surface-deployment-accelerator).
+
+Using SDA provides these primary benefits:
+
+* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you.
+
+* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user.
+
+This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail.
+
+## Perform a Proof of Concept deployment
+
+One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options.
+
+Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information.
+
+SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Windows Store and desktop applications, and several models of Surface devices.
+
+Some recommendations for a successful PoC with SDA are:
+
+* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment.
+
+* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment.
+
+* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices.
+
+* Use offline files with SDA to further reduce installation times.
+
+* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/en-us/support/contact-us-business).
+
+## Perform a pilot deployment
+
+A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization.
+
+>[!NOTE]
+>A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed.
+
+For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organization’s MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices.
+
+For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices.
+
+## Import additional drivers
+
+The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals.
+
+For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work.
+
+Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple.
+
+>[!NOTE]
+>The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers.
+
+To import drivers for a peripheral device:
+
+1. Download the drivers for your device from the manufacturer web site.
+
+2. Open the MDT Deployment Workbench.
+
+3. Expand the **Deployment Shares** node and expand the SDA deployment share.
+
+4. Expand the **Out-of-Box Drivers** folder.
+
+5. Select the folder of the Surface model for which you would like to include this driver.
+
+6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
+
+ 
+
+ *Figure 1. Provide the location of your driver files*
+
+7. The Import Drivers Wizard presents a series of steps:
+
+ - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1.
+ - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+ - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+ - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
+
+8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver.
+
+9. Close the Deployment Workbench.
+
+After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately.
+
+>[!NOTE]
+>You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models.
+
+## Import additional applications
+
+As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users.
+
+In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment:
+
+1. Download the application installation files or locate the installation media for your application.
+
+2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center.
+
+3. Open the MDT Deployment Workbench.
+
+4. Expand the **Deployment Shares** node and expand the SDA deployment share.
+
+5. Expand the **Applications** folder.
+
+6. Click **New Application** to start the New Application Wizard, as shown in Figure 2.
+
+ 
+
+ *Figure 2: Provide the command to install your application*
+
+7. Follow the steps of the New Application Wizard:
+
+ - **Application Type** – Click **Application with Source Files**, and then click **Next**.
+ - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
+ - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**.
+ - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
+ - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart`
+ - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+ - **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+ - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
+
+8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**.
+
+9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
+
+10. Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**.
+
+11. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
+
+ 
+
+ *Figure 3. A new Install Application step for Sample POS App*
+
+12. On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app.
+
+13. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
+
+14. Select your app from the list of applications, and then click **OK**.
+
+15. Click **OK** to close the task sequence properties.
+
+16. Close the Deployment Workbench.
+
+## Work with existing deployment shares
+
+One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them.
+
+This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organization’s precise requirements to Surface devices.
+
+You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure.
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index 64da3956f1..2e31b14786 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -1,5 +1,4 @@
# [Windows 10 for Education](index.md)
-## [Change history for Windows 10 for Education](change-history-edu.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
## [Setup options for Windows 10](set-up-windows-10.md)
### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
@@ -18,3 +17,4 @@
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Chromebook migration guide](chromebook-migration-guide.md)
+## [Change history for Windows 10 for Education](change-history-edu.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 0d1c19f506..f03105f10d 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -12,38 +12,39 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## September 2016
+
+| New or changed topic | Description|
+| --- | --- |
+| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. |
## RELEASE: Windows 10, version 1607
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Set up Windows 10](set-up-windows-10.md)
- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
-
## July 2016
-
| New or changed topic | Description|
| --- | --- |
-| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New |
-|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New |
-
-
+| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
+|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. |
## June 2016
| New or changed topic | Description |
|----------------------|-------------|
-| [Get Minecraft Education Edition](get-minecraft-for-education.md) [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New |
+| [Get Minecraft Education Edition](get-minecraft-for-education.md) [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. |
## May 2016
| New or changed topic | Description |
|----------------------|-------------|
-| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New |
-| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New |
-| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New |
+| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. |
+| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. |
+| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |
\ No newline at end of file
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |
diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md
index ec0fc56066..64a6208970 100644
--- a/education/windows/create-tests-using-microsoft-forms.md
+++ b/education/windows/create-tests-using-microsoft-forms.md
@@ -1,6 +1,6 @@
---
title: Create tests using Microsoft Forms
-description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while complete a test.
+description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
keywords: school, Take a Test, Microsoft Forms
ms.prod: w10
ms.mktglfcycl: plan
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 6fdf7e3da3..0eabc87c57 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -191,16 +191,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m
| *.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 68b0a74563..fe8e875c6b 100644
--- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,6 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
keywords: upgrade, install, installation, computer refresh
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
index ea05d6a281..450e831b33 100644
--- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
@@ -5,6 +5,7 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: reinstallation, customize, template, script, restore
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -66,6 +67,7 @@ The custom USMT template is named MigContosoData.xml, and you can find it in the
In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
+
``` syntax
USMTMigFiles003=MigContosoData.xml
```
diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index b9f521531f..5691f94681 100644
--- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,6 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
keywords: upgrade, install, installation, replace computer, setup
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
index a862edf501..c4d80c812b 100644
--- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -5,6 +5,7 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
keywords: deploy, deployment, replace
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
index 6cfb4a8a57..16b405ad57 100644
--- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md
+++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md
@@ -5,6 +5,7 @@ description:
keywords: disk, encryption, TPM, configure, secure, script
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -84,6 +85,7 @@ If you consistently get the error "Windows BitLocker Drive Encryption Informatio
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
+
``` syntax
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```
@@ -105,10 +107,12 @@ cctk.exe --tpm=on --valsetuppwd=Password1234
### Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
+
``` syntax
BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
```
And the sample content of the TPMEnable.REPSET file:
+
``` syntax
English
Activate Embedded Security On Next Boot
diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
index 1f77bcb17d..3677031293 100644
--- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -5,6 +5,7 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
keywords: deploy, script
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 2a854e9a3b..1739910931 100644
--- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -4,6 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: deploy
author: mtniehaus
---
diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index feaabb3fa4..a57de8573f 100644
--- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,6 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md
index f79c20d4ba..8270ef2a4e 100644
--- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md
+++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md
@@ -4,6 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de
keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: Jamiejdt
diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
index da3cbd9940..65fb7d646b 100644
--- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
+++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
@@ -5,6 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
keywords: web services, database
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -139,6 +140,7 @@ Make sure the account you are using has permissions to run runbooks on the Orche
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Using an elevated command prompt (run as Administrator), type the following command:
+
``` syntax
cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
```
diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 32208d3e25..38ae49c0e7 100644
--- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -6,6 +6,7 @@ ms.pagetype: mdt
keywords: database, permissions, settings, configure, deploy
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md
index 2f6f9bf239..33f1c9a3a7 100644
--- a/windows/deploy/use-web-services-in-mdt-2013.md
+++ b/windows/deploy/use-web-services-in-mdt-2013.md
@@ -5,6 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
keywords: deploy, web apps
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md
index d3b797865f..b33db65cc8 100644
--- a/windows/deploy/windows-10-deployment-scenarios.md
+++ b/windows/deploy/windows-10-deployment-scenarios.md
@@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md
index 5ef0592258..5a17250306 100644
--- a/windows/deploy/windows-10-edition-upgrades.md
+++ b/windows/deploy/windows-10-edition-upgrades.md
@@ -4,6 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo
ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
diff --git a/windows/deploy/windows-10-enterprise-e3-overview.md b/windows/deploy/windows-10-enterprise-e3-overview.md
index c4a945e569..c3861f8fe5 100644
--- a/windows/deploy/windows-10-enterprise-e3-overview.md
+++ b/windows/deploy/windows-10-enterprise-e3-overview.md
@@ -4,6 +4,7 @@ description: Describes Windows 10 Enterprise E3, an offering that delivers, by s
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: greg-lindsay
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
deleted file mode 100644
index 04cb2496e2..0000000000
--- a/windows/deploy/windows-10-poc-mdt.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Placeholder (Windows 10)
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-
-**Applies to**
-
-- Windows 10
-
-## In this guide
-
-## Related Topics
-
-
-
-
-
-
-
-
-
diff --git a/windows/deploy/windows-10-poc-sccm.md b/windows/deploy/windows-10-poc-sccm.md
deleted file mode 100644
index 3e43d7c402..0000000000
--- a/windows/deploy/windows-10-poc-sccm.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Placeholder (Windows 10)
-description: Deploy Windows 10 in a test lab using System Center Configuration Manager
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-author: greg-lindsay
----
-
-# Deploy Windows 10 in a test lab using System Center Configuration Manager
-
-**Applies to**
-
-- Windows 10
-
-## In this guide
-
-## Related Topics
-
-
-
-
-
-
-
-
-
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
index 7ee695086b..b6c196f4d1 100644
--- a/windows/deploy/windows-10-upgrade-paths.md
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -4,6 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
---
diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md
index 19c048877c..89c15460f6 100644
--- a/windows/deploy/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md
@@ -4,6 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
ms.prod: w10
ms.mktglfcycl: deploy
+localizationpriority: high
ms.sitesec: library
author: greg-lindsay
---
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 57a7d44fcf..c43b7b759f 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -35,6 +35,7 @@
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
+#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
## [VPN profile options](vpn-profile-options.md)
diff --git a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md
index 279966110f..1f2d6310fd 100644
--- a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md
+++ b/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
- redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
+ redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
---
# Additional Windows Defender ATP configuration settings
-This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
\ No newline at end of file
+This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
\ No newline at end of file
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
index 4e5ae1d646..129b49f08e 100644
--- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -37,12 +37,12 @@ Assigning read only access rights requires adding the users to the “Security R
Use the following steps to assign security roles:
- Preparations:
- - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).
+ - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx).
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@@ -52,4 +52,4 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
```
-For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
index d4d9a55257..0155f5ed15 100644
--- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
@@ -146,12 +146,12 @@ To create a self-signed certificate, you can either use the New-SelfSignedCertif
Windows PowerShell example:
```syntax
-New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt -KeyLength 2048 -KeySpec KeyExchange -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
+New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
```
Certreq example:
-1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
+1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf.
2. Add the following contents to the previously created file:
``` syntax
@@ -162,9 +162,8 @@ Certreq example:
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
- KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
+ KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
KeyLength=2048
- Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
@@ -180,9 +179,9 @@ Certreq example:
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
-4. Verify the previous command properly created the certificate by confirming the .cer file exists
-5. Launch the Certificate Manager by running **certmgr.msc**
-6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
+4. Verify the previous command properly created the certificate by confirming the .cer file exists.
+5. Launch Certificates - Local Machine by running **certlm.msc**.
+6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### Step Five: Deploy the private key and certificate to the WDS server
@@ -193,27 +192,27 @@ With the certificate and key created, deploy them to the infrastructure to prope
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
-### Step Six: Configure Group Policy settings for Network Unlock
+### Step Six: Configure Group Policy settings for Network Unlock
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
-1. Open Group Policy Management Console (gpmc.msc)
-2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
-3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+1. Open Group Policy Management Console (gpmc.msc).
+2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
+3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
The following steps describe how to deploy the required Group Policy setting:
>**Note:** The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
-1. Copy the .cer file created for Network Unlock to the domain controller
-2. On the domain controller, launch Group Policy Management Console (gpmc.msc)
+1. Copy the .cer file created for Network Unlock to the domain controller.
+2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
-4. Deploy the public certificate to clients
+4. Deploy the public certificate to clients:
- 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
- 2. Right-click the folder and choose **Add Network Unlock Certificate**
+ 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
+ 2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier.
>**Note:** Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
@@ -222,16 +221,16 @@ The following steps describe how to deploy the required Group Policy setting:
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
-1. Open Group Policy Management Console (gpmc.msc)
-2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
-3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+1. Open Group Policy Management Console (gpmc.msc).
+2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
+3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
-2. Locate the User template. Right-click the template name and select **Duplicate Template**
+2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
@@ -247,9 +246,9 @@ The following steps detail how to create a certificate template for use with Bit
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
+16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@@ -329,8 +328,8 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
In the right pane, click **Enable Log**.
2. The DHCP subnet configuration file (if one exists).
-3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
-4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address
+3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell.
+4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address.
## Configure Network Unlock Group Policy settings on earlier versions
@@ -347,7 +346,7 @@ The following steps can be used to configure Network Unlock on these older syste
3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree)
4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour)
5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
-6. **Step Six: Configure registry settings for Network Unlock**
+6. [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix)
Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 4394da8ab8..6dc8ea8b8c 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,6 +12,16 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## September 2016
+
+| New or changed topic | Description |
+| --- | --- |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
+| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
+
## August 2016
|New or changed topic | Description |
|----------------------|-------------|
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 6978b1a8f6..731d00b2c5 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -34,7 +34,7 @@ localizationpriority: high
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
@@ -61,7 +61,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
-2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
+2. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
@@ -88,7 +88,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index f667ac1b36..3b4fddffaf 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -23,11 +23,11 @@ localizationpriority: high
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
-For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Configure endpoints using Microsoft Intune
-For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
+For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index e7e9a27b13..8faa5dafdb 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -45,9 +45,9 @@ You can use System Center Configuration Manager’s existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
@@ -72,7 +72,7 @@ Possible values are:
The default value in case the registry key doesn’t exist is 1.
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
### Offboard endpoints
@@ -90,9 +90,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
+3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
-4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
+4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
@@ -128,7 +128,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState”
Value: “1”
```
-For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
+For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 4f1cf1dfd9..06392494c0 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -77,7 +77,7 @@ It's possible that you might revoke data from an unenrolled device only to later
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
- `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
+ `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
@@ -87,7 +87,7 @@ It's possible that you might revoke data from an unenrolled device only to later
3. Have your employee sign in to the unenrolled device, and type:
- `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
+ `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
4. Ask the employee to lock and unlock the device.
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index 7a107e086c..ed6a4793e9 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -138,8 +138,8 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
-
- 
+
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
@@ -278,8 +278,8 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
-
- 
+
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
@@ -370,8 +370,8 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Cloud Resources |
- **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
+ With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ |
| Enterprise Network Domain Names (Required) |
@@ -380,8 +380,8 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Proxy Servers |
- proxy.contoso.com:80;proxy2.contoso.com:137 |
- Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
+ proxy.contoso.com:80;proxy2.contoso.com:443 |
+ Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet. This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic. This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network. If you have multiple resources, you must separate them using the ";" delimiter. |
| Enterprise Internal Proxy Servers |
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index c66c433c22..9c13f0506b 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -391,18 +391,23 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Cloud Resources |
- **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
+ With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ |
| Enterprise Network Domain Names (Required) |
corp.contoso.com,region.contoso.com |
- Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
| Enterprise Proxy Servers |
+<<<<<<< HEAD
proxy.contoso.com:80;proxy2.contoso.com:137 |
+ Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet. This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic. TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network. If you have multiple resources, you must separate them using the ";" delimiter. |
+=======
+ proxy.contoso.com:80;proxy2.contoso.com:443 |
Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
+>>>>>>> refs/remotes/origin/master
| Enterprise Internal Proxy Servers |
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index 55180bcbe5..068f9e099f 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
+Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
+
+Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index a70c1c7836..8192f42f7f 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -87,7 +87,7 @@ Threats are considered "active" if there is a very high probability that the mal
Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> [!NOTE]
-> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
### Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
index c921b59dc1..ad99762845 100644
--- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -24,7 +24,7 @@ localizationpriority: high
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE]
-> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
+> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
## What data does Windows Defender ATP collect?
@@ -32,7 +32,7 @@ Microsoft will collect and store information from your configured endpoints in a
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
-Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
+Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
index 353acce55b..9793cfc53f 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -62,7 +62,6 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Product name |App info |
|-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
-|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
@@ -71,8 +70,9 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
-|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** onedrive.exe
**App Type:** Desktop app|
-|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
-|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
\ No newline at end of file
+|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
+|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
+|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app|
+|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
\ No newline at end of file
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
index a4b75576ef..cdde9f9522 100644
--- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -23,7 +23,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
index b64a82a6e0..b91386f0c0 100644
--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -25,4 +25,5 @@ This section includes info about the enlightened Microsoft apps, including how t
|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
-|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
\ No newline at end of file
+|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
\ No newline at end of file
diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 23ecf47c6e..b9e72308cc 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -20,9 +20,13 @@ localizationpriority: high
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
+>
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>
+>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
-## Group Policy settings for Windows Hello for Businness
+## Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index ff296372d8..51e68f1fee 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -67,7 +67,7 @@ In the file's page, **Submit for deep analysis** is enabled when the file is ava
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
-You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
+You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index 217e287455..fb34c03d1f 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -40,7 +40,7 @@ The Machines view contains the following columns:
- **Active malware detections** - the number of active malware detections reported by the machine
> [!NOTE]
-> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
Click any column header to sort the view in ascending or descending order.
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
new file mode 100644
index 0000000000..947cee9c66
--- /dev/null
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -0,0 +1,77 @@
+---
+title: Limitations while using Windows Information Protection (WIP) (Windows 10)
+description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Limitations while using Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+This table provides info about the most common problems you might encounter while running WIP in your organization.
+
+
+
+ | Limitation |
+ How it appears |
+ Workaround |
+
+
+ | Enterprise data on USB drives is tied to the device it was protected on. |
+ Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
+ Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited. We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
+
+
+ | Direct Access is incompatible with WIP. |
+ Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. |
+ We recommend that you use VPN for client access to your intranet resources. Note
VPN is optional and isn’t required by WIP. |
+
+
+ | NetworkIsolation Group Policy setting is incompatible with WIP. |
+ The NetworkIsolation Group Policy setting has incompatible network settings that can conflict and cause problems with WIP. |
+ We recommend that you don’t use the NetworkIsolation Group Policy setting. |
+
+
+ | Cortana can potentially allow data leakage if it’s on the allowed apps list. |
+ If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. |
+ We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. |
+
+
+ | WIP is designed for use by a single user per device. |
+ A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. |
+ We recommend only having one user per managed device. |
+
+
+ | Installers copied from an enterprise network file share might not work properly. |
+ An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. |
+ To fix this, you can:
+
+ - Start the installer directly from the file share.
-OR-
+ - Decrypt the locally copied files needed by the installer.
-OR-
+ - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
+ |
+
+
+ | Changing your primary Corporate Identity isn’t supported. |
+ You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. |
+ Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. |
+
+
+ | Redirected folders with Client Side Caching are not compatible with WIP. |
+ Apps might encounter access errors while attempting to read a cached, offline file. |
+ Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. |
+
+
+ | You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. |
+ A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. |
+ Open File Explorer and change the file ownership to **Personal** before you upload. |
+
+
diff --git a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
index a462835906..2f8775683c 100644
--- a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
+++ b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
- redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
+ redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
---
# Monitor the Windows Defender Advanced Threat Protection onboarding
-This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
\ No newline at end of file
+This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
\ No newline at end of file
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
index 0e1ec374bc..0790236e3f 100644
--- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -16,7 +16,7 @@ author: brianlic-msft
This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
-**Planning**
+## Planning
1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
@@ -33,7 +33,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
-**Getting started on the deployment process**
+## Getting started on the deployment process
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index f9a18be888..8c9f2086ff 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -39,7 +39,7 @@ When you open the portal, you’ll see the main areas of the application:
> [!NOTE]
-> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index b6d01bc4cc..44ee846cb2 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -48,7 +48,7 @@ To help address this security insufficiency, company’s developed data loss pre
Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees’ natural workflow by blocking some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
### Using information rights management systems
-To help address the potential data loss prevention system problems, company’s developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
+To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won’t be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees’ work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 6ad9ebb407..7e351ee5aa 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -86,9 +86,9 @@ If none of the event logs and troubleshooting steps work, download the Local scr
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
-0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key.
- | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
index c60ccfbea9..5973f94f6f 100644
--- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
@@ -23,7 +23,7 @@ The TPM Services Group Policy settings are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
| Setting | Windows 10, version 1607 | Windows 10, version 1511 and Windows 10, version 1507 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista |
-| - | - | - | - | - | - |
+| - | - | - | - | - | - | - |
| [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | | X| X| X| X| X|
| [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| X|
| [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| X|
@@ -32,21 +32,28 @@ The TPM Services Group Policy settings are located at:
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
-
+
### Turn on TPM backup to Active Directory Domain Services
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information.
->**Note:** This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
-
+>[!NOTE]
+>This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table).
+
+
TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands.
->**Important:** To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
+>[!IMPORTANT]
+>To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607.
If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.
If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
+>[!NOTE]
+> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files.
+
+
### Configure the list of blocked TPM commands
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index 9e4092ef6a..4d3345f8a1 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -20,7 +20,7 @@ localizationpriority: high
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
->For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
+>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 19a65a7a57..1eee1f803e 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -1,6 +1,22 @@
# [Manage and update Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
+## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+### [Overview of Windows as a service](waas-overview.md)
+### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+### [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+#### [Configure Windows Update for Business](waas-configure-wufb.md)
+#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
@@ -35,7 +51,6 @@
### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
-## [Windows 10 servicing options](introduction-to-windows-10-servicing.md)
## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
### [Getting Started with App-V](appv-getting-started.md)
#### [What's new in App-V](appv-about-appv.md)
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
index 3840db35c7..f9a6004ba5 100644
--- a/windows/manage/acquire-apps-windows-store-for-business.md
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -13,9 +13,9 @@ localizationpriority: high
As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
## App licensing model
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Store for Business with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing).
-For more information, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
+For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
## Payment options
Some apps are free, and some have a price. Apps can be purchased in the Windows Store for Business using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards:
diff --git a/windows/manage/application-development-for-windows-as-a-service.zip b/windows/manage/application-development-for-windows-as-a-service.zip
new file mode 100644
index 0000000000..7ae85a8f22
Binary files /dev/null and b/windows/manage/application-development-for-windows-as-a-service.zip differ
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
index f74b81160c..5dcc21f0b4 100644
--- a/windows/manage/apps-in-windows-store-for-business.md
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -80,7 +80,7 @@ Distribution options for online-licensed apps include the ability to:
- Distribute through a management tool.
-**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. Admins control whether or not offline apps are available in Store for Business with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing).
You have the following distribution options for offline-licensed apps:
diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md
index ca6912ebd6..b99eb36f43 100644
--- a/windows/manage/appv-application-publishing-and-client-interaction.md
+++ b/windows/manage/appv-application-publishing-and-client-interaction.md
@@ -245,7 +245,7 @@ Before an application can access the package registry data, the App-V Client mus
When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at `%ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat`. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time.
-**Registry.dat from Package Store ** > **%ProgramData%\Microsoft\AppV\Client\Vreg\{VersionGuid}.dat**
+**Registry.dat from Package Store** > **%ProgramData%\Microsoft\AppV\Client\Vreg\\{VersionGuid}.dat**
When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation.
@@ -387,7 +387,7 @@ Packages can be explicitly loaded using the Windows PowerShell `Mount-AppVClient
### Streaming packages
-The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MAcHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming:
+The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming:
@@ -485,8 +485,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table
-
-
+
+
@@ -513,8 +513,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table
In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following location:
-HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\{UserSID}\REGISTRY\MACHINE\SOFTWARE
HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\Registry\User\{UserSID}\SOFTWARE
HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE
@@ -532,21 +532,21 @@ The following table shows local and roaming locations, when folder redirection h
| VFS directory in package | Mapped location of backing store |
| - | - |
-| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\ProgramFilesX86 |
-| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\SystemX86 |
-| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\Windows |
-| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\appv_ROOT|
-| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\AppData |
+| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 |
+| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 |
+| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows |
+| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv_ROOT|
+| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\AppData |
The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location).
| VFS directory in package | Mapped location of backing store |
| - | - |
-| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\ProgramFilesX86 |
-| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\SystemX86 |
-| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\Windows |
-| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\appv\_ROOT |
-| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\AppData |
+| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 |
+| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 |
+| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows |
+| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv\_ROOT |
+| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\<GUID>\AppData |
The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are:
@@ -602,11 +602,7 @@ In an App-V Full Infrastructure, after applications are sequenced they are manag
This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177).
-The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured during setup of the client or post-setup with Windows PowerShell commands. See [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) or use Windows PowerShell:
-
-``` syntax
-get-command *appv*
-```
+The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell).
### Publishing refresh
diff --git a/windows/manage/appv-deploying-appv.md b/windows/manage/appv-deploying-appv.md
index 53ad22d7a7..d9b76d330e 100644
--- a/windows/manage/appv-deploying-appv.md
+++ b/windows/manage/appv-deploying-appv.md
@@ -30,6 +30,11 @@ App-V supports a number of different deployment options. Review this topic for i
This section provides a deployment checklist that can be used to assist with installing App-V.
+- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+[Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
+
+ These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization.
+
## Other Resources for Deploying App-V
diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
index 90cdcd48d7..c492e3a97e 100644
--- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
@@ -14,7 +14,7 @@ ms.prod: w10
**Applies to**
- Windows 10, version 1607
-Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
+Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
This topic contains the following sections:
diff --git a/windows/manage/appv-performance-guidance.md b/windows/manage/appv-performance-guidance.md
index 5c2f1c51a3..e0a277bf9c 100644
--- a/windows/manage/appv-performance-guidance.md
+++ b/windows/manage/appv-performance-guidance.md
@@ -29,15 +29,12 @@ You should read and understand the following information before reading this doc
**Note**
Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk * review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
-
-
Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
To help determine what information is relevant to your environment you should review each section’s brief overview and applicability checklist.
## App-V in stateful\* non-persistent deployments
-
This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. A number of conditions must be met and steps followed to provide the optimal user experience.
Use the information in the following section for more information:
@@ -125,7 +122,7 @@ IT Administration
-### Usage Scenario
+### Usage Scenarios
As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
@@ -143,9 +140,9 @@ As you review the two scenarios, keep in mind that these approach the extremes.
To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.
-The following describes many performance improvements in stateful non-persistent deployments. For more information, see the Sequencing Steps to Optimize Packages for Publishing Performance and reference to App-V Sequencing Guide in the See Also section of this document. |
+The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) later in this topic.
The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
-The impact of this alteration is detailed in the User Experience Walkthrough section of this document. |
+The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) section of this document.
@@ -443,13 +440,11 @@ In a non-persistent environment, it is unlikely these pended operations will be
The following section contains lists with information about Microsoft documentation and downloads that may be useful when optimizing your environment for performance.
-**.NET NGEN Blog and Script (Highly Recommended)**
+
-About NGEN technology
+**.NET NGEN Blog (Highly Recommended)**
-- [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
-
-- [Script](http://aka.ms/DrainNGenQueue)
+- [How to speed up NGEN optimization](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
**Windows Server and Server Roles**
@@ -483,7 +478,6 @@ Server Performance Tuning Guidelines for
## Sequencing Steps to Optimize Packages for Publishing Performance
-
Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
@@ -504,7 +498,7 @@ Several App-V features facilitate new scenarios or enable new customer deploymen
No Feature Block 1 (FB1, also known as Primary FB) |
-No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch.If there are network limitations, FB1 will:
+ | No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
Reduce the number of stream faults and network bandwidth used when you launch an application for the first time. Delay launch until the entire FB1 has been streamed.
[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
+| [Update Windows 10 in the enterprise](waas-update-windows-10.md) | Learn how to manage updates to Windows 10 in your organization, including Windows Update for Business. |
[Manage corporate devices](manage-corporate-devices.md) |
You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions. |
@@ -55,7 +56,6 @@ Learn about managing and updating Windows 10.
[Configure devices without MDM](configure-devices-without-mdm.md) |
Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. |
|
-| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. |
[Application Virtualization for Windows (App-V)](appv-for-windows.md) |
When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. |
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
index 65114bd167..f57d4145be 100644
--- a/windows/manage/introduction-to-windows-10-servicing.md
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, servicing
author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10
---
# Windows 10 servicing options
diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md
index 8a5219e4bb..c6eaa7e68d 100644
--- a/windows/manage/lockdown-features-windows-10.md
+++ b/windows/manage/lockdown-features-windows-10.md
@@ -96,8 +96,8 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
[Gesture Filter](https://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen |
-[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608) |
-The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access. |
+MDM and Group Policy |
+In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy. |
[Custom Logon]( https://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown |
diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md
index 634eb7c4a9..3c7b9b2b79 100644
--- a/windows/manage/manage-access-to-private-store.md
+++ b/windows/manage/manage-access-to-private-store.md
@@ -25,12 +25,28 @@ The private store is a feature in Store for Business that organizations receive
-Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
+Organizations can use either an MDM policy, or Group Policy to show only their private store in Windows Store.
+
+## Show private store only using MDM policy
+
+Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly) policy.
+
+**ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions:
+- Enterprise
+- Education
+- Mobile
+- Mobile Enterprise
+
+For more information on configuring an MDM provider, see [Configure an MDM provider](https://technet.microsoft.com/itpro/windows/manage/configure-mdm-provider-windows-store-for-business).
## Show private store only using Group Policy
If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
+**Only display the private store within the Windows Store app** group policy is supported on the following Windows 10 editions:
+- Enterprise
+- Education
+
**To show private store only in Windows Store app**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index eae421589e..83ea150608 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -63,7 +63,7 @@ See the following table for a summary of the management settings for Windows 10
| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |  |
| [3. Date & Time](#bkmk-datetime) |  | | |  | |
| [4. Device metadata retrieval](#bkmk-devinst) | |  | | | |
-| [5. Font streaming](#font-streaming) | | | |  | |
+| [5. Font streaming](#font-streaming) | |  | |  | |
| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |  |
| [7. Internet Explorer](#bkmk-ie) |  |  | | | |
| [8. Live Tiles](#live-tiles) | |  | | | |
@@ -91,6 +91,7 @@ See the following table for a summary of the management settings for Windows 10
| [16.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
| [16.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
| [16.16 Background apps](#bkmk-priv-background) |  | | | | |
+| [16.17 Motion](#bkmk-priv-motion) |  |  | | | |
| [17. Software Protection Platform](#bkmk-spp) | |  |  | | |
| [18. Sync your settings](#bkmk-syncsettings) |  |  |  | | |
| [19. Teredo](#bkmk-teredo) | | | | |  |
@@ -112,7 +113,7 @@ See the following table for a summary of the management settings for Windows Ser
| [2. Cortana and Search](#bkmk-cortana) |  |  | | |
| [3. Date & Time](#bkmk-datetime) |  | |  | |
| [4. Device metadata retrieval](#bkmk-devinst) | |  | | |
-| [5. Font streaming](#font-streaming) | | |  | |
+| [5. Font streaming](#font-streaming) | |  |  | |
| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  | | |
| [7. Internet Explorer](#bkmk-ie) |  |  | | |
| [8. Live Tiles](#live-tiles) | |  | | |
@@ -136,7 +137,7 @@ See the following table for a summary of the management settings for Windows Ser
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) |  |  | |
| [3. Date & Time](#bkmk-datetime) | |  | |
-| [5. Font streaming](#font-streaming) | |  | |
+| [5. Font streaming](#font-streaming) |  |  | |
| [12. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
| [17. Software Protection Platform](#bkmk-spp) |  | | |
| [19. Teredo](#bkmk-teredo) | | |  |
@@ -168,11 +169,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
+ -and-
+
+1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
+2. Double-click **Certificate Path Validation Settings**.
+3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
+4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
+
-or-
- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1.
- -or-
+ -and-
1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
2. Double-click **Certificate Path Validation Settings**.
@@ -183,6 +191,9 @@ On Windows Server 2016 Nano Server:
- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1.
+>[!NOTE]
+>CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+
### 2. Cortana and Search
Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683).
@@ -257,7 +268,12 @@ To prevent Windows from retrieving device metadata from the Internet, apply the
Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
-To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+
+> [!NOTE]
+> After you apply this policy, you must restart the device for it to take effect.
+
+If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
### 6. Insider Preview builds
@@ -584,6 +600,8 @@ Use Settings > Privacy to configure some settings that may be important to yo
- [16.16 Background apps](#bkmk-priv-background)
+- [16.17 Motion](#bkmk-priv-motion)
+
### 16.1 General
**General** includes options that don't fall into other areas.
@@ -609,7 +627,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
@@ -943,6 +961,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t
- Turn off the feature in the UI.
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
+
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
- Turn off the feature in the UI.
@@ -1035,13 +1057,27 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 16.17 Motion
+
+In the **Motion** area, you can choose which apps have access to your motion data.
+
+To turn off **Let Windows and your apps use your motion data and collect motion history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
+
### 17. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
For Windows 10:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
-or-
@@ -1049,7 +1085,7 @@ For Windows 10:
For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
index 36b77add2e..ff1aec9da2 100644
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -56,7 +56,7 @@ Set up and manage Cortana by using the following Group Policy and mobile device
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.**Note**
This setting only applies to Windows 10 for desktop devices. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). |
|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). |
-|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
Use this setting if you only want to support Azure AD in your organization. |
+|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
**Note**
This setting only applies to Windows 10 Mobile. |
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 7d798edb80..211f47f9c2 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -283,28 +283,73 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
1. Open a command prompt as an administrator.
2. Enter the following command.
-
-
-
-
-
-
-
- Dism /online /Enable-Feature /FeatureName:Client-EmbeddedShellLauncher
|
-
-
-
+
+ ```
+ Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
+ ```
**To set your custom shell**
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
+# Check if shell launcher license is enabled
+function Check-ShellLauncherLicenseEnabled
+{
+ [string]$source = @"
+using System;
+using System.Runtime.InteropServices;
+
+static class CheckShellLauncherLicense
+{
+ const int S_OK = 0;
+
+ public static bool IsShellLauncherLicenseEnabled()
+ {
+ int enabled = 0;
+
+ if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
+ enabled = 0;
+ }
+
+ return (enabled != 0);
+ }
+
+ static class NativeMethods
+ {
+ [DllImport("Slc.dll")]
+ internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
+ }
+
+}
+"@
+
+ $type = Add-Type -TypeDefinition $source -PassThru
+
+ return $type[0]::IsShellLauncherLicenseEnabled()
+}
+
+[bool]$result = $false
+
+$result = Check-ShellLauncherLicenseEnabled
+"`nShell Launcher license enabled is set to " + $result
+if (-not($result))
+{
+ "`nThis device doesn't have required license to use Shell Launcher"
+ exit
+}
+
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
-$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+try {
+ $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+ } catch [Exception] {
+ write-host $_.Exception.Message;
+ write-host "Make sure Shell Launcher feature is enabled"
+ exit
+ }
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
@@ -319,7 +364,7 @@ function Get-UsernameSID($AccountName) {
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
-
+
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/manage/set-up-shared-or-guest-pc.md
index 047004f0c0..f641f80569 100644
--- a/windows/manage/set-up-shared-or-guest-pc.md
+++ b/windows/manage/set-up-shared-or-guest-pc.md
@@ -100,6 +100,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
> [!IMPORTANT]
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
diff --git a/windows/manage/uev-deploy-required-features.md b/windows/manage/uev-deploy-required-features.md
index 8814f6f0c0..286fc22b1e 100644
--- a/windows/manage/uev-deploy-required-features.md
+++ b/windows/manage/uev-deploy-required-features.md
@@ -125,6 +125,9 @@ The UE-V service is the client-side component that captures user-personalized ap
Before enabling the UE-V service, you need to register the UE-V templates for first time use. In a PowerShell window, type **register-<TemplateName>** where **TemplateName** is the name of the UE-V template you want to register, and press ENTER.
+>**Note**
+With Windows 10, version 1607, you must register UE-V templates for all inbox and custom templates. This provides flexibility for only deploying the required templates.
+
With Windows 10, version 1607 and later, the UE-V service is installed on user devices. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell.
**To enable the UE-V service with Group Policy**
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 90469e91a6..dbf68b6bad 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -130,7 +130,7 @@ Once you click **Next**, the information you provided will be validated with a
##Offline licensing##
-Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business.
diff --git a/windows/manage/waas-branchcache.md b/windows/manage/waas-branchcache.md
new file mode 100644
index 0000000000..9bbd3db6e4
--- /dev/null
+++ b/windows/manage/waas-branchcache.md
@@ -0,0 +1,66 @@
+---
+title: Configure BranchCache for Windows 10 updates (Windows 10)
+description: Use BranchCache to optimize network bandwidth during update deployment.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure BranchCache for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
+
+- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
+
+ >[!TIP]
+ >Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution.
+
+- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
+
+For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx).
+
+## Configure clients for BranchCache
+
+Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
+
+Whether you use BranchCache with Configuration Manager or with WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see Client Configuration in the BranchCache Early Adopter’s Guide.
+
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+## Configure servers for BranchCache
+
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager.
+
+For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide).
+
+In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
+
+>[!NOTE]
+>Configuration Manager only supports Distributed Cache mode.
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md
new file mode 100644
index 0000000000..e6c1f6e142
--- /dev/null
+++ b/windows/manage/waas-configure-wufb.md
@@ -0,0 +1,218 @@
+---
+title: Configure Windows Update for Business (Windows 10)
+description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
+
+>[!IMPORTANT]
+>For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
+
+Configuration of Windows 10 Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days.
+
+## Start by grouping devices
+
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+>[!TIP]
+>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
+
+
+## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
+
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing).
+
+**Release branch policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+
+
+## Configure when devices receive Feature Updates
+
+After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
+
+**Examples**
+
+| Settings | Scenario and behavior |
+| --- | --- |
+| Device is on CBDeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
+| Device is on CBBDeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
+
+
+**Defer Feature Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+
+
+## Pause Feature Updates
+
+You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
+
+**Pause Feature Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+
+
+You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+| Value | Status|
+| --- | --- |
+| 0 | Feature Updates not paused |
+| 1 | Feature Updates paused |
+| 2 | Feature Updates have auto-resumed after being paused |
+
+
+## Configure when devices receive Quality Updates
+
+Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
+
+You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
+
+**Defer Quality Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**DeferQualityUpdates** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
+
+
+## Pause Quality Updates
+
+You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
+
+**Pause Quality Updates policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates |
+| GPO for version 1511: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates |
+| MDM for version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
+
+
+You can check what date Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
+
+| Value | Status|
+| --- | --- |
+| 0 | Quality Updates not paused |
+| 1 | Quality Updates paused |
+| 2 | Quality Updates have auto-resumed after being paused |
+
+## Exclude drivers from Quality Updates
+
+In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
+
+**Exclude driver policies**
+
+| Policy | Sets registry key under **HKLM\Software** |
+| --- | --- |
+| GPO for version 1607: Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
+| MDM for version 1607: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
+
+
+
+## Summary: MDM and Group Policy for version 1607
+
+Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607.
+
+**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+
+| GPO Key | Key type | Value |
+| --- | --- | --- |
+| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)32: systems take Feature Updates for the Current Branch for Business (CBB)Note: Other value or absent: receive all applicable updates (CB) |
+| DeferQualityUpdates | REG_DWORD | 1: defer quality updatesOther value or absent: don’t defer quality updates |
+| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
+| PauseQualityUpdates | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
+|DeferFeatureUpdates | REG_DWORD | 1: defer feature updatesOther value or absent: don’t defer feature updates |
+| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
+| PauseFeatureUpdates | REG_DWORD |1: pause feature updatesOther value or absent: don’t pause feature updates |
+| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+
+
+**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
+
+| MDM Key | Key type | Value |
+| --- | --- | --- |
+| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)32: systems take Feature Updates for the Current Branch for Business (CBB)Note: Other value or absent: receive all applicable updates (CB) |
+| DeferQualityUpdatesPeriod | REG_DWORD | 0-30: defer quality updates by given days |
+| PauseQualityUpdates | REG_DWORD | 1: pause quality updatesOther value or absent: don’t pause quality updates |
+| DeferFeatureUpdatesPeriod | REG_DWORD | 0-180: defer feature updates by given days |
+| PauseFeatureUpdates | REG_DWORD | 1: pause feature updatesOther value or absent: don’t pause feature updates |
+| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update driversOther value or absent: offer Windows Update drivers |
+
+## Update devices from Windows 10, version 1511 to version 1607
+
+Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator.
+
+### How version 1511 policies are respected on version 1607
+
+When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent.
+
+### Comparing the version 1511 keys to the version 1607 keys
+
+In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
+
+Group Policy keys| Version 1511 GPO keys | Version 1607 GPO keys |
+| **DeferUpgrade**: *enable/disable*
+Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable* Enabling will pause both upgrades and updates for a max of 35 days | **DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel** Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 30 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable* |
+
+
+MDM keys| Version 1511 MDM keys | Version 1607 MDM keys |
+| **RequireDeferUpgade**: *bool* Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool* Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel** Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 30 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td> |
+
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
new file mode 100644
index 0000000000..ec8c9efdd4
--- /dev/null
+++ b/windows/manage/waas-delivery-optimization.md
@@ -0,0 +1,251 @@
+---
+title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
+description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Configure Delivery Optimization for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager.
+
+>[!NOTE]
+>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
+
+By default in Windows 10 Enterprise and Education, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+
+## Delivery Optimization options
+
+You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
+
+- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
+- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
+
+Several Delivery Optimization features are configurable.
+
+### Download mode (DODownloadMode)
+
+Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do.
+
+| Download mode option | Functionality when set |
+| --- | --- |
+| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. |
+| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. |
+| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
+| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
+| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. |
+|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
+
+>[!NOTE]
+>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
+
+### Group ID (DOGroupID)
+
+By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
+
+>[!NOTE]
+>This configuration is optional and not required for most implementations of Delivery Optimization.
+
+### Max Cache Age (DOMaxCacheAge)
+
+In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
+
+### Max Cache Size (DOMaxCacheSize)
+
+This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
+
+### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
+
+This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
+
+### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
+
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
+
+### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
+
+This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+### Max Upload Bandwidth (DOMaxUploadBandwidth)
+
+This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
+
+### Minimum Background QoS (DOMinBackgroundQoS)
+
+This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
+
+### Modify Cache Drive (DOModifyCacheDrive)
+
+This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
+
+### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
+
+This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
+
+## Delivery Optimization configuration examples
+
+Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
+
+### Use Delivery Optimzation with group download mode
+
+Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
+
+**To use Group Policy to configure Delivery Optimization for group download mode**
+
+1. Open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**.
+
+5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7. Right-click the **Download Mode** setting, and then click **Edit**.
+
+8. Enable the policy, and then select the **Group** download mode.
+
+9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
+
+10. Click **OK**, and then close the Group Policy Management Editor.
+
+11. In GPMC, select the **Delivery Optimization – Group** policy.
+
+12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
+
+**To use Intune to configure Delivery Optimization for group download mode**
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
+
+7. In the **Value** box, type **2**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+8. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
+
+### Use WSUS and BranchCache with Windows 10, version 1511
+
+In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
+
+**To use Group Policy to configure HTTP only download mode**
+
+1. Open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**.
+
+5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7. Right-click the **Download Mode** setting, and then click **Edit**.
+
+8. Enable the policy, and then select the **HTTP only** download mode.
+
+9. Click **OK**, and then close the Group Policy Management Editor.
+
+10. In GPMC, select the **Delivery Optimization – HTTP Only** policy.
+
+11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
+
+### Use WSUS and BranchCache with Windows 10, version 1607
+
+In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
+
+**To use Group Policy to enable the Bypass download mode**
+
+1. Open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**.
+
+5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
+
+7. Right-click the **Download Mode** setting, and then click **Edit**.
+
+8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
+
+9. Click **OK**, and then close the Group Policy Management Editor.
+
+10. In GPMC, select the **Delivery Optimization – Bypass** policy.
+
+11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
+
+ >[!NOTE]
+ >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
+
+### Set “preferred” cache devices for Delivery Optimization
+
+In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content).
+
+To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files.
+
+On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
+
+- Set **DOBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+
+## Learn more
+
+[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/manage/waas-deployment-rings-windows-10-updates.md
new file mode 100644
index 0000000000..87b46bd064
--- /dev/null
+++ b/windows/manage/waas-deployment-rings-windows-10-updates.md
@@ -0,0 +1,76 @@
+---
+title: Build deployment rings for Windows 10 updates (Windows 10)
+description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Build deployment rings for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
+
+Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
+
+Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
+
+Table 1 provides an example of the deployment rings you might use.
+
+**Table 1**
+
+| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Brandh for Business (CBB) release |
+| --- | --- | --- |
+| Preview | Windows Insider | Pre-CB |
+| Ring 1 Pilot IT | CB | CB + 0 weeks |
+| Ring 2 Pilot business users | CB | CB + 2 weeks |
+| Ring 3 Broad IT | CBB | CBB + 0 weeks |
+| Ring 4 Broad business users | CBB | CBB + 4 weeks |
+| Ring 5 Broad business users #2 | CBB | CBB + 8 weeks |
+
+>[!NOTE]
+>In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates.
+>
+>Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
+
+
+As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
+
+
+
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | Build deployment rings for Windows 10 updates
+(this topic) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+
diff --git a/windows/manage/waas-integrate-wufb.md b/windows/manage/waas-integrate-wufb.md
new file mode 100644
index 0000000000..63914b38ff
--- /dev/null
+++ b/windows/manage/waas-integrate-wufb.md
@@ -0,0 +1,109 @@
+---
+title: Integrate Windows Update for Business with management solutions (Windows 10)
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Integrate Windows Update for Business with management solutions
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
+
+## Integrate Windows Update for Business with Windows Server Update Services
+
+
+For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
+
+- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
+- All other content synced from WSUS will be directly applied to the device; that is, non-Windows Updates content will not follow your Windows Update for Business deferral policies
+
+### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates using Windows Update for Business
+- Device is also configured to be managed by WSUS
+- Device is not configured to include Microsoft Updates from Windows Update (**Update/AllowMUUpdateService** = not enabled)
+- Admin has opted to put Microsoft updates on WSUS
+- Admin has also put 3rd party drivers on WSUS
+
+| Content | Metadata source | Payload source | Deferred? | |
+| Windows Update | Windows Update | Windows Update | Yes |  |
+| Microsoft Update (such as Office updates) | WSUS | WSUS | No |
+| Third-party drivers | WSUS | WSUS | No |
+
+
+### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
+
+**Configuration:**
+
+- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
+- Device is also configured to be managed by WSUS
+- Admin has opted to put Windows Update drivers on WSUS
+
+
+| Content | Metadata source | Payload source | Deferred? | |
+| Windows Update (exclude driver) | Windows Update | Windows Update | Yes |  |
+| Windows Update drivers | WSUS | WSUS | No |
+| Microsoft Update (such as Office updates) | WSUS | WSUS | No |
+| Windows drivers, third-party drivers | WSUS | WSUS | No |
+
+
+
+### Configuration example \#3: Device configured to receive Microsoft updates
+
+**Configuration:**
+
+- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
+- Device is configured to “receive updates for other Microsoft products” along with Windows Update updates (**Update/AllowMUUpdateService** = enabled)
+- Admin has also placed Microsoft Update content on the WSUS server
+
+In this example, the Microsoft Update deferral behavior is slightly different than if WSUS were not enabled.
+- In a non-WSUS case, the Microsoft Update updates would be deferred just as any Windows Update update would be.
+- However, with WSUS also configured, Microsoft Update content is sourced from Microsoft but deferral policies are not applied.
+
+
+| Content | Metadata source | Payload source | Deferred? | |
+| Windows Update (exclude drivers) | Windows Update | Windows Update | Yes |  |
+| Microsoft Update (such as Office updates) | Microsoft Update | Microsoft Update | No |
+| Drivers, third-party | WSUS | WSUS | No |
+
+
+>[!NOTE]
+> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
+
+## Integrate Windows Update for Business with System Center Configuration Manager
+
+For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md
new file mode 100644
index 0000000000..6a560d09d0
--- /dev/null
+++ b/windows/manage/waas-manage-updates-configuration-manager.md
@@ -0,0 +1,406 @@
+---
+title: Manage Windows 10 updates using System Center Configuration Manager (Windows 10)
+description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 updates using System Center Configuration Manager
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+
+System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
+
+You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
+
+>[!NOTE]
+>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
+
+## Windows 10 servicing dashboard
+
+The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
+
+For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
+
+- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
+- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
+- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
+- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
+
+ **To configure Upgrade classification**
+
+ 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
+
+ 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
+
+ 
+
+ 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
+
+When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
+
+## Enable CBB clients in Windows 10, version 1511
+
+When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode.
+
+**To use Group Policy to configure a client for the CBB servicing branch**
+
+>[!NOTE]
+>In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
+
+1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+4. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
+
+6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
+
+7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+8. Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
+
+ 
+
+9. Enable the policy, and then click **OK**.
+
+ >[!NOTE]
+ >The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
+
+10. Close the Group Policy Management Editor.
+
+This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
+
+
+## Enable CBB clients in Windows 10, version 1607
+
+When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don’t set this policy, Configuration Manager discovers all clients, as it would in CB mode.
+
+>[!NOTE]
+>System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
+
+**To use Group Policy to configure a client for the CBB servicing branch**
+
+>[!NOTE]
+>In this example, a specific organizational unit (OU) called **Windows 10 – Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
+
+1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click the **Windows 10 – Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
+
+6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
+
+7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
+
+8. Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
+
+9. Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
+
+10. Close the Group Policy Management Editor.
+
+This policy will now be deployed to every device in the **Windows 10 – Current Branch for Business Machines** OU.
+
+## Create collections for deployment rings
+
+Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 3 Broad IT**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 3 Broad IT** collection as a deployment ring for the first CBB users, IT pros.
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+**To create collections for deployment rings**
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
+
+4. Click **Browse** to select the limiting collection, and then click **All Systems**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
+
+6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
+
+7. On the **Criteria** tab, click the **New** icon.
+
+ 
+
+8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
+
+9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
+
+10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
+
+ 
+
+11. Now that the **OSBranch** attribute is correct, verify the operating system version.
+
+12. On the **Criteria** tab, click the **New** icon again to add criteria.
+
+13. In the **Criterion Properties** dialog box, click **Select**.
+
+14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
+
+ 
+
+15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
+
+ 
+
+16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
+
+17. Click **Summary**, and then click **Next**.
+
+18. Close the wizard.
+
+>[!IMPORTANT]
+>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
+
+After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 3 Broad IT** collection. Complete the following steps to create the Ring 3 Broad IT device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
+
+1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
+
+2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
+
+3. In the Create Device Collection Wizard, in the **name** box, type **Ring 3 Broad IT**.
+
+4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
+
+5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
+
+6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
+
+7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
+
+8. Select the computer that will be part of the **Ring 3 Broad IT** deployment ring, and then click **Next**.
+
+9. Click **Next**, and then click **Close**.
+
+10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
+
+11. Click **Next**, and then click **Close**.
+
+
+## Use Windows 10 servicing plans to deploy Windows 10 feature updates
+
+There are two ways to deploy Windows 10 feature updates with System Center onfiguration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
+
+**To configure Windows feature updates for CBB clients in the Ring 3 Broad IT deployment ring using a servicing plan**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
+
+2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
+
+3. Name the plan **Ring 3 Broad IT Servicing Plan**, and then click **Next**.
+
+4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 3 Broad IT** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
+
+ >[!IMPORTANT]
+ >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
+ >
+ >
+ >
+ >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
+
+5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
+
+ Doing so deploys CBB feature updates to the IT deployment ring immediately after they are released to CBB.
+
+ On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
+
+6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
+
+7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
+
+8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
+
+ Doing so allows installation and restarts after the 7-day deadline on workstations only.
+
+9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
+
+ In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
+
+ 
+
+10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
+
+ 
+
+ Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
+
+11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
+
+
+You have now created a servicing plan for the **Ring 3 Broad IT** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
+
+
+
+
+## Use a task sequence to deploy Windows 10 updates
+
+There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
+
+- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
+- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
+
+Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
+
+2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
+
+3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
+
+ In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
+
+ >[!NOTE]
+ >System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
+
+4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
+
+5. On the **Summary** page, click **Next** to create the package.
+
+6. On the **Completion** page, click **Close**.
+
+Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
+
+2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
+
+3. In the Distribute Content Wizard, on the **General** page, click **Next**.
+
+4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
+
+5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
+
+6. On the **Content Destination** page, click **Next**.
+
+7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
+
+8. On the **Completion** page, click **Close**.
+
+Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
+
+2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
+
+3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
+
+4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
+
+5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
+
+6. Click **Next**.
+
+7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
+
+8. On the **Install Applications** page, click **Next**.
+
+9. On the **Summary** page, click **Next** to create the task sequence.
+
+10. On the **Completion** page, click **Close**.
+
+With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 3 Broad IT collection**.
+
+>[!IMPORTANT]
+>This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
+
+**To deploy your task sequence**
+
+1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
+
+2. On the Ribbon, in the **Deployment** group, click **Deploy**.
+
+3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
+
+4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
+
+5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
+
+6. In the **Assignment Schedule** dialog box, click **Schedule**.
+
+7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
+
+8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
+
+9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
+
+10. Use the defaults for the remaining settings.
+
+11. Click **Summary**, and then click **Next** to deploy the task sequence.
+
+12. Click **Close**.
+
+
+
+
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or Manage Windows 10 updates using System Center Configuration Manager (this topic) |
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/manage/waas-manage-updates-wsus.md
new file mode 100644
index 0000000000..43121c0f0d
--- /dev/null
+++ b/windows/manage/waas-manage-updates-wsus.md
@@ -0,0 +1,351 @@
+---
+title: Manage Windows 10 updates using Windows Server Update Services (Windows 10)
+description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 updates using Windows Server Update Services (WSUS)
+
+
+**Applies to**
+
+- Windows 10
+
+
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
+
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
+
+
+
+## Requirements for Windows 10 servicing with WSUS
+
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3148812](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
+
+## WSUS scalability
+
+To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a demilitarized zone, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
+
+
+## Express Installation Files
+
+With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
+
+ At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
+
+ **To configure WSUS to download Express Update Files**
+
+1. Open the WSUS Administration Console.
+
+2. In the navigation pane, go to *Your_Server*\\**Options**.
+
+3. In the **Options** section, click **Update Files and Languages**.
+
+ 
+
+4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
+
+ 
+
+ >[!NOTE]
+ >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
+
+## Configure automatic updates and update service location
+
+When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
+
+**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
+
+1. Open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+ 
+
+ >[!NOTE]
+ >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
+
+4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**.
+
+5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
+
+ 
+
+8. In the **Configure Automatic Updates** dialog box, select **Enable**.
+
+9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
+
+ 
+
+ >[!NOTE]
+ ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+
+9. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
+
+9. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
+
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type **http://Your_WSUS_Server_FQDN:PortNumber**, and then click **OK**.
+
+ >[!NOTE]
+ >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
+
+ 
+
+ >[!NOTE]
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+
+As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
+
+## Create computer groups in the WSUS Administration Console
+
+>[!NOTE]
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+
+You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
+
+**To create computer groups in the WSUS Administration Console**
+
+1. Open the WSUS Administration Console.
+
+2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
+
+ 
+
+3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
+
+4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you’re finished, there should be three deployment ring groups.
+
+Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
+
+## Use the WSUS Administration Console to populate deployment rings
+
+Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
+
+In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
+
+### Manually assign unassigned computers to groups
+
+When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
+
+**To assign computers manually**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
+
+ Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
+
+2. Select both computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
+
+ Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
+
+### Search for multiple computers to add to groups
+
+Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
+
+**To search for multiple computers**
+
+1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
+
+2. In the search box, type **WIN10**.
+
+3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
+
+ 
+
+4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
+
+You can now see these computers in the **Ring 3 Broad IT** computer group.
+
+
+
+## Use Group Policy to populate deployment rings
+
+The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
+
+**To configure WSUS to allow client-side targeting from Group Policy**
+
+1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
+
+ 
+
+2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
+
+ >[!NOTE]
+ >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
+
+Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
+
+**To configure client-side targeting**
+
+>[!TIP]
+>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
+
+1. Open GPMC.
+
+2. Expand Forest\Domains\\*Your_Domain*.
+
+3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **WSUS – Client Targeting – Ring 4 Broad Business Users** for the name of the new GPO.
+
+5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
+
+7. Right-click **Enable client-side targeting**, and then click **Edit**.
+
+8. In the **Enable client-side targeting** dialog box, select **Enable**.
+
+9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+
+ 
+
+10. Close the Group Policy Management Editor.
+
+Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
+
+**To scope the GPO to a group**
+
+1. In GPMC, select the **WSUS – Client Targeting – Ring 4 Broad Business Users** policy.
+
+2. Click the **Scope** tab.
+
+3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
+
+ 
+
+The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
+
+## Automatically approve and deploy feature updates
+
+For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
+
+>[!NOTE]
+>WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it.
+
+**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
+
+2. On the **Update Rules** tab, click **New Rule**.
+
+3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
+
+ 
+
+4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
+
+5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
+
+7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
+
+8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
+
+ 
+
+9. In the **Automatic Approvals** dialog box, click **OK**.
+
+ >[!NOTE]
+ >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+
+Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+
+## Manually approve and deploy feature updates
+
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+
+**To approve and deploy feature updates manually**
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
+
+2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
+
+3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
+
+4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
+
+ Windows 10 is under All Products\Microsoft\Windows.
+
+5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
+
+ 
+
+Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+
+1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
+
+2. Right-click the feature update you want to deploy, and then click **Approve**.
+
+ 
+
+3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
+
+ 
+
+4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
+
+ 
+
+5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
+
+ If the deployment is successful, you should receive a successful progress report.
+
+ 
+
+6. In the **Approval Progress** dialog box, click **Close**.
+
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or Manage Windows 10 updates using Windows Server Update Services (this topic)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md
new file mode 100644
index 0000000000..8cf7dfc5f2
--- /dev/null
+++ b/windows/manage/waas-manage-updates-wufb.md
@@ -0,0 +1,136 @@
+---
+title: Manage updates using Windows Update for Business (Windows 10)
+description: Windows Update for Business lets you manage when devices received updates from Windows Update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage updates using Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings. Using Group Policy or MDM solutions such as Intune, you can control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
+
+Specifically, Windows Update for Business allows for:
+
+- The creation of deployment and validation groups, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).
+- Selectively including or excluding drivers as part of Microsoft-provided updates
+- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
+- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
+
+Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
+
+## Update types
+
+Windows Update for Business provides three types of updates to Windows 10 devices:
+
+- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
+- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
+- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
+
+Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
+
+
+
+| Category |
+Maximum deferral |
+Deferral increments |
+Example |
+Classification GUID |
+
+
+| Feature Updates |
+180 days |
+Days |
+From Windows 10, version 1511 to version 1607 |
+3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+
+
+| Quality Updates |
+30 days |
+Days |
+Security updates |
+0FA1201D-4330-4FA8-8AE9-B877473B6441 |
+
+
+| Drivers (optional) |
+EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 |
+
+
+| Non-security updates |
+CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 |
+
| Microsoft updates (Office, Visual Studio, etc.) | varies |
+
+| Non-deferrable |
+No deferral |
+No deferral |
+Definition updates |
+E0789628-CE08-4437-BE74-2495B842F43B |
+
+
+
+>[!NOTE]
+>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
+
+## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
+
+Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
+
+>[!NOTE]
+>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md).
+
+
+
+ | Capability | Windows 10, version 1511 | Windows 10, version 1607 |
+
|---|
+
+
+ Select Servicing Options: CB or CBB | Not available. To defer updates, all systems must be on the Current Branch for Business (CBB) | Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB). |
+Quality Updates | Able to defer receiving Quality Updates: - Up to 4 weeks
- In weekly increments
| Able to defer receiving Quality Updates: - Up to 30 days
- In daily increments
|
+Feature Updates | Able to defer receiving Feature Updates: - Up to 8 months
- In monthly increments
| Able to defer receiving Feature Updates: - Up to 180 days
- In daily increments
|
+Pause updates | - Feature Updates and Quality Updates paused together
- Maximum of 35 days
| Features and Quality Updates can be paused separately. - Feature Updates: maximum 60 days
- Quality Updates: maximum 35 days
|
+Drivers | No driver-specific controls | Drivers can be selectively excluded from Windows Update for Business. |
+
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | Manage updates using Windows Update for Business (this topic)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
diff --git a/windows/manage/waas-mobile-updates.md b/windows/manage/waas-mobile-updates.md
new file mode 100644
index 0000000000..615e3ec321
--- /dev/null
+++ b/windows/manage/waas-mobile-updates.md
@@ -0,0 +1,80 @@
+---
+title: Manage updates for Windows 10 Mobile Enterprise (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage updates for Windows 10 Mobile Enterprise
+
+
+**Applies to**
+
+- Windows 10 Mobile
+
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+
+Devices running Windows 10 Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise can be assigned to CBB.
+
+[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
+
+
+
+| Windows 10 edition | CB | CBB | Insider Program |
+| --- | --- | --- | --- | --- |
+| Mobile |  |  |  |
+| Mobile Enterprise |  |  |  |
+
+
+
+Configuration of Windows 10 Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise. Updates cannot be managed for Windows 10 Mobile.
+
+## Windows 10 Mobile Enterprise, version 1511
+
+Only the following Windows Update for Business policies are supported:
+
+- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
+- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod
+- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals
+
+To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy.
+
+## Windows 10 Mobile Enterprise, version 1607
+
+Only the following Windows Update for Business policies are supported:
+
+- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
+- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
+
+In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches.
+
+If a device running Windows 10 Mobile Enterprise, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied.
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
new file mode 100644
index 0000000000..e094d5389a
--- /dev/null
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -0,0 +1,74 @@
+---
+title: Optimize update delivery for Windows 10 updates (Windows 10)
+description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Optimize update delivery for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+
+
+When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
+
+Two methods of peer-to-peer content distribution are available in Windows 10.
+
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
+
+ Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
+
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+
+ >[!NOTE]
+ >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
+
+ Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+
+
+
+| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
+| --- | --- | --- | --- | --- |
+| Delivery Optimization |  |  |  |  |
+| BranchCache |  |  | |  |
+
+>[!NOTE]
+>Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases.
+>
+>In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx).
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | Optimize update delivery for Windows 10 updates (this topic) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+
+
diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md
new file mode 100644
index 0000000000..22c34f8e05
--- /dev/null
+++ b/windows/manage/waas-overview.md
@@ -0,0 +1,184 @@
+---
+title: Overview of Windows as a service (Windows 10)
+description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Overview of Windows as a service
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+- Windows 10 IoT Mobile
+
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+
+## Building
+
+Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues.
+
+In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, whehn Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
+
+Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
+
+Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
+
+## Deploying
+
+Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.
+
+One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified.
+
+### Application compatibility
+
+Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
+
+Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
+
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
+
+### Device compatibility
+
+Device compatibility in Windows 10 is also very strong; new hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10.
+
+## Servicing
+
+Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
+
+With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+
+For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
+
+To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches).
+
+
+### Feature updates
+
+With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — two to three times per year rather than every 3–5 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
+
+### Quality updates
+
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
+
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 machines in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+
+**Figure 1**
+
+
+
+
+
+## Servicing branches
+
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual machines are updated. For example, an organization may have test machines that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+
+The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
+
+>[!NOTE]
+>Servicing branches are not the only way to separate groups of machines when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+
+
+### Current Branch
+
+In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
+
+When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those machines can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective machines by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
+
+
+### Current Branch for Business
+
+Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months.
+
+
+>[!NOTE]
+>Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
+
+Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back.
+
+### Long-term Servicing Branch
+
+Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other machines in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+
+>[!NOTE]
+>LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.
+
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+
+LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
+
+>[!NOTE]
+>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
+
+### Windows Insider
+
+For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test machines for compatibility validation.
+
+Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about how to sign up for the Windows Insider Program and enroll test devices, go to [https://insider.windows.com](https://insider.windows.com).
+
+>[!NOTE]
+>The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft.
+
+
+
+## Servicing tools
+
+There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
+
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
+- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune. In addition to Intune, organizations can use Group Policy to manage Windows Update for Business.
+- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
+- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
+
+With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
+
+**Table 1**
+
+| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features |
+| --- | --- | --- | --- | --- |
+| Windows Update | Yes (manual) | No | Delivery Optimization | None|
+| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
+| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
+| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
+
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | Learn about updates and servicing branches (this topic) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+
+
+
+
+
+
+
+
diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md
new file mode 100644
index 0000000000..56bade4088
--- /dev/null
+++ b/windows/manage/waas-servicing-branches-windows-10-updates.md
@@ -0,0 +1,128 @@
+---
+title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Assign devices to servicing branches for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+>[!TIP]
+>If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+
+Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10.
+
+| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program |
+| --- | --- | --- | --- | --- |
+| Home |  |  |  |  |
+| Pro |  |  |  |  |
+| Enterprise |  |  |  |  |
+| Pro Education |  |  |  |  |
+| Education |  |  |  |  |
+| Mobile |  |  |  |  |
+| Mobile Enterprise |  |  |  |  |
+
+
+
+>[!NOTE]
+>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+
+## Assign devices to Current Branch for Business
+
+**To assign a single PC locally to CBB**
+
+1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
+2. Select **Defer feature updates**.
+
+**To assign PCs to CBB using Group Policy**
+
+- In Windows 10, version 1511:
+
+ Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates**
+
+- In Windows 10, version 1607:
+
+ Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB
+
+**To assign PCs to CBB using MDM**
+
+- In Windows 10, version 1511:
+
+ ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade**
+
+- In Windows 10, version 1607:
+
+ ../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
+
+**To assign Windows 10 Mobile Enterprise to CBB using MDM**
+
+- In Windows 10 Mobile Enterprise, version 1511:
+
+ ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
+
+- In Windows 10 Mobile Enterprise, version 1607:
+
+ ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
+
+## Enroll devices in the Windows Insider Program
+
+Enrolling devices in the Windows Insider Program is simple and requires only a Microsoft account. To enroll a device in the Windows Insider Program, complete the following steps on the device that you want to enroll:
+
+1. Go to **Start** > **Settings** > **Update & security** > **Windows Insider Program**.
+
+2. Select **Get started**.
+ >[!NOTE]
+ >If you didn’t use a Microsoft account to log in to the computer, you’ll be prompted to log in. If you don’t have a Microsoft account, you can create one now.
+
+3. Read the privacy statement and program terms, and then click **Next**.
+
+6. Click **Confirm**, and then select a time to restart the computer.
+
+7. After you restart the device, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select. The options for Insider level are:
+ - **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+ - **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
+ - **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.
+
+## Block access to Windows Insider Program
+
+To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
+
+- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
+- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | Assign devices to servicing branches for Windows 10 updates (this topic) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+
+
diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/manage/waas-servicing-strategy-windows-10-updates.md
new file mode 100644
index 0000000000..aa4a14694e
--- /dev/null
+++ b/windows/manage/waas-servicing-strategy-windows-10-updates.md
@@ -0,0 +1,67 @@
+---
+title: Prepare servicing strategy for Windows 10 updates (Windows 10)
+description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Prepare servicing strategy for Windows 10 updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
+
+**Figure 1**
+
+
+
+Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
+
+- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
+- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics).
+
+>[!NOTE]
+>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](https://technet.microsoft.com/itpro/windows/plan/index).
+
+Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
+
+1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
+2. **Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. For an example of what a remediation plan for an application compatibility issue arising from a Windows 10 feature update might look like, see the .
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
+
+
+## Steps to manage updates for Windows 10
+
+
+|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | Prepare servicing strategy for Windows 10 updates (this topic) |
+|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+|  | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
+
+
+
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
diff --git a/windows/manage/waas-update-windows-10.md b/windows/manage/waas-update-windows-10.md
new file mode 100644
index 0000000000..210676c642
--- /dev/null
+++ b/windows/manage/waas-update-windows-10.md
@@ -0,0 +1,54 @@
+---
+title: Update Windows 10 in the enterprise (Windows 10)
+description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Update Windows 10 in the enterprise
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them.
+
+>[!TIP]
+>See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date.
+
+## In this section
+
+| Topic | Description|
+| --- | --- |
+| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
+| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
+| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
+| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
+| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
+| [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise. |
+| [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
+| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
+| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+
+>[!TIP]
+>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager).
+
+
+## Related topics
+
+
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+
+
+
diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/manage/waas-wufb-group-policy.md
new file mode 100644
index 0000000000..9d5bf8c874
--- /dev/null
+++ b/windows/manage/waas-wufb-group-policy.md
@@ -0,0 +1,348 @@
+---
+title: Walkthrough use Group Policy to configure Windows Update for Business (Windows 10)
+description: Configure Windows Update for Business settings using Group Policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Walkthrough: use Group Policy to configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+
+
+Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
+
+In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
+
+>[!NOTE]
+>The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
+
+To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
+
+## Configure Windows Update for Business in Windows 10 version 1511
+
+In this example, you use two security groups to manage your updates: **Ring 3 Broad IT** and **Ring 4 Broad Business Users** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+- The **Ring 3 Broad IT** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
+- The **Ring 4 Broad Business Users** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
+
+>[!NOTE]
+>Windows 10 version 1511 does not support deferment of CB builds of Windows 10, so you can establish only one CB deployment ring. In version 1607 and later, CB builds can be delayed, making it possible to have multiple CB deployment rings.
+
+ Complete the following steps on a PC running the Remote Server Administration Tools or on a domain controller.
+
+ ### Configure the Ring 3 Broad IT deployment ring for CBB with no deferral
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) that’s appropriate for your Active Directory Domain Services (AD DS) structure.
+
+5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
+
+7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
+
+ 
+
+ In the **Defer Upgrades and Updates** Group Policy setting configuration, you see several options:
+ - **Enable/Disable Deferred Updates**. Enabling this policy setting sets the receiving client to the CBB servicing branch. Specifically disabling this policy forces the client into the CB servicing branch, making it impossible for users to change it.
+ - **Defer upgrades for the following**. This option allows you to delay feature updates up to 8 months, a number added to the default CBB delay (approximately 4 months from CB). By using Windows Update for Business, you can use this option to stagger CBB feature updates, making the total offset up to 12 months from CB.
+ - **Defer updates for the following**. This option allows you to delay the installation of quality updates on a Windows 10 device for up to 4 weeks, allowing for phased rollouts of updates in your enterprise, but not all quality updates are deferrable with this option. Table 1 shows the deferment capabilities by update type.
+ - **Pause Upgrades and Updates**. Should an issue arise with a feature update, this option allows a one-time skip of the current month’s quality and feature update. Quality updates will resume after 35 days, and feature updates will resume after 60 days. For example, deploy this setting as a stand-alone policy to the entire organization in an emergency.
+
+ Table 1 summarizes the category of update in Windows 10 and how long Windows Update for Business can defer its installation.
+
+ **Table 1**
+
+
+
+ | Category |
+ Maximum deferral |
+ Deferral increments |
+ Classification type |
+ Classification GUID |
+
+
+ | OS upgrades |
+ 8 months |
+ 1 month |
+ Upgrade |
+ 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+
+
+ | OS updates |
+ 4 weeks |
+ 1 week |
+ Security updates |
+ 0FA1201D-4330-4FA8-8AE9-B877473B6441 |
+
+
+ | Drivers |
+ EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 |
+
+
+ | Updates |
+ CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 |
+
+
+ | Other/non-deferrable |
+ No deferral |
+ No deferral |
+ Definition updates |
+ E0789628-CE08-4437-BE74-2495B842F43B |
+
+
+
+ Simply enabling the **Defer Upgrades and Updates** policy sets the receiving client to the CBB servicing branch, which is what you want for your first deployment ring, **Ring 3 Broad IT**.
+
+8. Enable the **Defer Updates and Upgrades** setting, and then click **OK**.
+
+9. Close the Group Policy Management Editor.
+
+Because the **Windows Update for Business - CBB1** GPO contains a computer policy and you only want to apply it to computers in the **Ring 3 Broad IT** group, use **Security Filtering** to scope the policy’s effect.
+
+### Scope the policy to the Ring 3 Broad IT group
+
+1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 3 Broad IT** group.
+
+ 
+
+
+The **Ring 3 Broad IT** deployment ring has now been configured. Next, configure **Ring 4 Broad Business Users** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates.
+
+
+### Configure the Ring 4 Broad Business Users deployment ring for CBB with deferrals
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
+
+5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
+
+7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
+
+8. Enable the **Defer Updates and Upgrades** setting, configure the **Defer upgrades for the following** option for 1 month, and then configure the **Defer updates for the following** option for 1 week.
+
+ 
+
+9. Click **OK** and close the Group Policy Management Editor.
+
+
+### Scope the policy to the Ring 4 Broad Business Users group
+
+1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad Business Users** group.
+
+## Configure Windows Update for Business in Windows 10 version 1607
+
+To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
+
+In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
+
+- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds just 14 days after they are released.
+- **Ring 3 Broad IT** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
+- **Ring 4 Broad Business Users** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 30 days.
+
+In this example, you configure and scope the update schedules for all three groups.
+
+### Configure Ring 2 Pilot Business Users policy
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+ 
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CB2** for the name of the new GPO.
+
+ >[!NOTE]
+ >In this example, you’re linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) that’s appropriate for your Active Directory Domain Services (AD DS) structure.
+
+5. Right-click the **Windows Update for Business - CB2** GPO, and then click **Edit**.
+
+ 
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
+
+7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
+
+8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CB**, set the feature update delay to **14** days, and then click **OK**.
+
+ 
+
+ Table 3 summarizes the category of updates in Windows 10, version 1607, and how long Windows Update for Business can defer its installation.
+
+ **Table 3**
+
+
+
+ | Category |
+ Maximum deferral |
+ Deferral increments |
+ Example |
+ Classification GUID |
+
+
+ | Feature Updates |
+ 180 days |
+ Days |
+ From Windows 10, version 1511 to version 1607 |
+ 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+
+
+ | Quality Updates |
+ 30 days |
+ Days |
+ Security updates |
+ 0FA1201D-4330-4FA8-8AE9-B877473B6441 |
+
+
+ | Drivers (optional) |
+ EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 |
+
+
+ | Non-security updates |
+ CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 |
+
| Microsoft updates (Office, Visual Studio, etc.) | varies |
+
+ | Non-deferrable |
+ No deferral |
+ No deferral |
+ Definition updates |
+ E0789628-CE08-4437-BE74-2495B842F43B |
+
+
+
+9. Close the Group Policy Management Editor.
+
+Because the **Windows Update for Business – CB2** GPO contains a computer policy and you only want to apply it to computers in the **Ring 2 Pilot Business Users** group, use **Security Filtering** to scope the policy’s effect.
+
+### Scope the policy to the Ring 2 Pilot Business Users group
+
+1. In the GPMC, select the **Windows Update for Business - CB2** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 2 Pilot Business Users** group.
+
+ 
+
+The **Ring 2 Pilot Business Users** deployment ring has now been configured. Next, configure **Ring 3 Broad IT** to set those clients into the CBB servicing branch so that they receive feature updates as soon as they’re made available for the CB servicing branch.
+
+### Configure Ring 3 Broad IT policy
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
+
+5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
+
+7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
+
+8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, and then click **OK**.
+
+ 
+
+9. Close the Group Policy Management Editor.
+
+
+
+### Scope the policy to the Ring 3 Broad IT group
+
+1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 3 Broad IT** group.
+
+
+The **Ring 3 Broad IT** deployment ring has now been configured. Finally, configure **Ring 4 Broad Business Users** to accommodate a 7-day delay for quality updates and a 30-day delay for feature updates
+
+### Configure Ring 4 Broad Business Users policy
+
+1. Open GPMC (gpmc.msc).
+
+2. Expand **Forest** > **Domains** > *your domain*.
+
+3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
+
+4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
+
+5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
+
+6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
+
+7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
+
+8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, set the feature update delay to **30** days, and then click **OK**.
+
+ 
+
+9. Right-click **Select when Quality Updates are received**, and then click **Edit**.
+
+10. In the **Select when Quality Updates are received** policy, enable it, set the quality update delay to **7** days, and then click **OK**.
+
+ 
+
+11. Close the Group Policy Management Editor.
+
+
+
+### Scope the policy to the Ring 4 Broad IT group
+
+1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
+
+2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad Business Users** group.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/manage/waas-wufb-intune.md b/windows/manage/waas-wufb-intune.md
new file mode 100644
index 0000000000..91e628629f
--- /dev/null
+++ b/windows/manage/waas-wufb-intune.md
@@ -0,0 +1,278 @@
+---
+title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
+description: Configure Windows Update for Business settings using Microsoft Intune.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Walkthrough: use Microsoft Intune to configure Windows Update for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+
+You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
+
+Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
+
+To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
+
+>[!NOTE]
+>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/en-us/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune)
+
+## Configure Windows Update for Business in Windows 10, version 1511
+
+In this example, you use two security groups to manage your updates: **Ring 3 Broad IT** and **Ring 4 Broad Business Users** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
+
+- The **Ring 3 Broad IT** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
+- The **Ring 4 Broad Business Users** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
+
+### Configure the Ring 3 Broad IT deployment ring for CBB with no deferral
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+ 
+
+8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 3 Broad IT** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 3 Broad IT** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 4 Broad Business Users** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates.
+
+### Configure the Ring 4 Broad Business Users deployment ring for CBB with deferrals
+
+1. In the Policy workspace, click **Configuration Policies**, and then click **Add**.
+
+2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+3. Name the policy **Windows Update for Business – CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+ In this policy, you add two OMA-URI settings, one for each deferment type.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
+
+7. Click **OK** to save the setting.
+
+8. In the **OMA-URI Settings** section, click **Add**.
+
+9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
+
+11. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
+
+12. In the **Value** box, type **1**.
+
+13. Click **OK** to save the setting.
+
+14. In the **OMA-URI Settings** section, click **Add**.
+
+15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
+
+17. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
+
+18. In the **Value** box, type **1**.
+
+19. Click **OK** to save the setting.
+
+ Three settings should appear in the **Windows Update for Business – CBB2** policy.
+
+ 
+
+20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
+
+21. In the **Manage Deployment** dialog box, select the **Ring 4 Broad Business Users** computer group, click **Add**, and then click **OK**.
+
+## Configure Windows Update for Business in Windows 10 version 1607
+
+To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
+
+In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
+
+- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds just 14 days after they are released.
+- **Ring 3 Broad IT** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
+- **Ring 4 Broad Business Users** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 30 days.
+
+### Configure Ring 2 Pilot Business Users policy
+
+1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **0**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+ 
+
+8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 14 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
+10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays**.
+11. In the **Value** box, type **14**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CB2** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 3 Broad IT** to receive CBB features updates as soon as they’re available.
+
+### Configure Ring 3 Broad IT policy
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+
+8. Because the **Ring 3 Broad IT** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays**.
+
+11. In the **Value** box, type **0**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 3 Broad IT** group, click **Add**, and then click **OK**.
+
+You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 4 Broad Business Users** to accommodate a 7-day delay for quality updates and a 30-day delay for feature updates.
+
+
+### Configure Ring 4 Broad Business Users policy
+
+2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
+
+ 
+
+3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
+
+4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
+
+4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
+
+6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
+
+7. In the **Value** box, type **1**, and then click **OK**.
+
+ >[!NOTE]
+ >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
+
+
+8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatePeriodInDays**.
+
+11. In the **Value** box, type **7**, and then click **OK**.
+
+8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
+
+8. In **Setting name**, type **Defer feature updates for 30 days**, and then select **Integer** from the **Data type** list.
+
+10. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatePeriodInDays**.
+
+11. In the **Value** box, type **30**, and then click **OK**.
+
+ 
+
+9. Click **Save Policy**.
+
+9. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**.
+
+ >[!NOTE]
+ >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
+
+10. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 3 Broad Business Users** group, click **Add**, and then click **OK**.
+
+## Related topics
+
+- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Configure Windows Update for Business](waas-configure-wufb.md)
+- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
+- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+
+
+
+
+
+
+
+
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index 7118e1238c..723d5f5e7e 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -1,11 +1,7 @@
# [Plan for Windows 10 deployment](index.md)
-## [Windows 10 servicing overview](windows-10-servicing-options.md)
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
## [Windows 10 compatibility](windows-10-compatibility.md)
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-## [Windows Update for Business](windows-update-for-business.md)
-### [Setup and deployment](setup-and-deployment.md)
-### [Integration with management solutions](integration-with-management-solutions-.md)
## [Windows To Go: feature overview](windows-to-go-overview.md)
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index fe06fd00a1..db42adde11 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,6 +13,12 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## September 2016
+
+| New or changed topic | Description |
+| --- | --- |
+| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) |
+| Windows Update for BusinessSetup and deployment of Windows Update for BusinessIntegration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb) |
## RELEASE: Windows 10, version 1607
diff --git a/windows/plan/index.md b/windows/plan/index.md
index b692bf0504..8dd569303a 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -15,11 +15,9 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## In this section
|Topic |Description |
|------|------------|
-| [Windows 10 servicing overview](windows-10-servicing-options.md) | Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
-| [Windows Update for Business](windows-update-for-business.md) | Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. |
|[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
@@ -36,3 +34,8 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
+
+
+
+
+
diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md
index 73206e6baf..7246b22a3a 100644
--- a/windows/plan/integration-with-management-solutions-.md
+++ b/windows/plan/integration-with-management-solutions-.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: servicing, devices
author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb
---
# Integration with management solutions
diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md
index 6705747d10..2b2e1e2a43 100644
--- a/windows/plan/setup-and-deployment.md
+++ b/windows/plan/setup-and-deployment.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: servicing, devices
author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb
---
# Setup and deployment
diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md
index 066ce7b427..013a715282 100644
--- a/windows/plan/windows-10-compatibility.md
+++ b/windows/plan/windows-10-compatibility.md
@@ -6,6 +6,7 @@ keywords: deploy, upgrade, update, appcompat
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md
index a787c083ac..9c2cb27ef4 100644
--- a/windows/plan/windows-10-deployment-considerations.md
+++ b/windows/plan/windows-10-deployment-considerations.md
@@ -4,6 +4,7 @@ description: There are new deployment options in Windows 10 that help you simpl
ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
keywords: deploy, upgrade, update, in-place
ms.prod: w10
+localizationpriority: high
ms.mktglfcycl: plan
ms.sitesec: library
author: mtniehaus
diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md
index f6893cb6e2..be533cabf2 100644
--- a/windows/plan/windows-10-infrastructure-requirements.md
+++ b/windows/plan/windows-10-infrastructure-requirements.md
@@ -5,6 +5,7 @@ ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
keywords: deploy, upgrade, update, hardware
ms.prod: w10
ms.mktglfcycl: plan
+localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
index 83af9a41f3..8ad9c29c5a 100644
--- a/windows/plan/windows-10-servicing-options.md
+++ b/windows/plan/windows-10-servicing-options.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: plan
ms.pagetype: servicing
ms.sitesec: library
author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview
---
# Windows 10 servicing overview
diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md
index 93dcee04ac..87315ba806 100644
--- a/windows/plan/windows-update-for-business.md
+++ b/windows/plan/windows-update-for-business.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: servicing; devices
author: jdeckerMS
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb
---
# Windows Update for Business
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 9b385aa076..df040f8573 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -31,7 +31,7 @@ You've already completed this step.
-5. Using markdown language, make your changes to the topic. For info about how to edit content using markdown, see:
+5. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
- **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
@@ -68,4 +68,4 @@ You've already completed this step.
- [Surface](https://technet.microsoft.com/itpro/surface)
- [Surface Hub](https://technet.microsoft.com/itpro/surface-hub)
- [Windows 10 for Education](https://technet.microsoft.com/edu/windows)
- - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop)
\ No newline at end of file
+ - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop)