New TOC for docs.microsoft.com

windows/client-management/TOC.md

@@ -0,0 +1,10 @@
+# [Manage clients in Windows 10](index.md)
+## [Create mandatory user profiles](mandatory-user-profile.md)
+## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
+## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
+## [New policies for Windows 10](new-policies-for-windows-10.md)
+## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
+## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
+## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
+## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
+## [Windows libraries](windows-libraries.md)

windows/client-management/administrative-tools-in-windows-10.md

@@ -0,0 +1,57 @@
+---
+title: Administrative Tools in Windows 10 (Windows 10)
+description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
+ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Administrative Tools in Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+
+Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. 
+
+![Screenshot of Control Panel](images/admin-tools.png)
+
+The tools in the folder might vary depending on which edition of Windows you are using. 
+
+![Screenshot of folder of admin tools](images/admin-tools-folder.png)
+
+These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
+
+ 
+
+-   [Component Services]( https://go.microsoft.com/fwlink/p/?LinkId=708489)
+-   [Computer Management](https://support.microsoft.com/kb/308423)
+-   [Defragment and Optimize Drives](https://go.microsoft.com/fwlink/p/?LinkId=708488)
+-   [Disk Cleanup](https://go.microsoft.com/fwlink/p/?LinkID=698648)
+-   [Event Viewer](https://go.microsoft.com/fwlink/p/?LinkId=708491)
+-   [iSCSI Initiator](https://go.microsoft.com/fwlink/p/?LinkId=708492)
+-   [Local Security Policy](https://go.microsoft.com/fwlink/p/?LinkId=708493)
+-   [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
+-   [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495)
+-   [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496)
+-   [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497)
+-   [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498)
+-   [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
+-   [System Information]( https://go.microsoft.com/fwlink/p/?LinkId=708500)
+-   [Task Scheduler](https://go.microsoft.com/fwlink/p/?LinkId=708501)
+-   [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503)
+-   [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
+
+>[!TIP]  
+>If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content. 
+
+ 
+
+
+
+
+

windows/client-management/connect-to-remote-aadj-pc.md

@@ -0,0 +1,83 @@
+---
+title: Connect to remote Azure Active Directory-joined PC (Windows 10)
+description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
+keywords: ["MDM", "device management", "RDP", "AADJ"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Connect to remote Azure Active Directory-joined PC
+
+
+**Applies to**
+
+-   Windows 10
+
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD).
+
+![Remote Desktop Connection client](images/rdp.png)
+
+## Set up
+
+- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
+- On the PC that you want to connect to:
+  1. Open system properties for the remote PC. 
+  2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. 
+
+   ![Allow remote connections to this computer](images/allow-rdp.png)
+
+  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
+  >[!NOTE]
+  >You cannot specify individual Azure AD accounts for remote connections.
+
+  4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
+
+ 
+## Supported configurations
+ 
+In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, if the domain is managed by System Center Configuration Manager
+
+In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. 
+
+In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
+
+- Password
+- Smartcards
+- Windows Hello for Business, with or without an MDM subscription. 
+
+ 
+In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
+
+- Password
+- Windows Hello for Business, with or without an MDM subscription. 
+
+
+
+## Related topics
+
+[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
+
+
+
+
+ 
+
+ 
+
+
+
+
+

windows/client-management/group-policies-for-enterprise-and-education-editions.md

@@ -0,0 +1,35 @@
+---
+title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
+description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+localizationpriority: high
+---
+
+# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
+
+**Applies to**
+
+-   Windows 10
+
+In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.
+
+| Policy name | Policy path | Comments |
+| --- | --- | --- |
+| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
+| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight |
+| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies)  |
+| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
+| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
+| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
+
+
+
+ 

windows/client-management/index.md

@@ -0,0 +1,30 @@
+---
+title: Client management (Windows 10)
+description: Windows 10 client management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Client Management
+
+**Applies to**
+-   Windows 10
+
+Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
+
+| Topic | Description |
+|---|---|
+|[Administrative tools in Windows 10](administrative-tools-in-windows-10.md)| Listing of administrative tools useful for ITPros and advanced users in managing Windows client.|
+|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
+|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
+|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
+|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones |
+|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
+|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
+|[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
+|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
+|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
+|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|

windows/client-management/join-windows-10-mobile-to-azure-active-directory.md

@@ -0,0 +1,205 @@
+---
+title: Join Windows 10 Mobile to Azure Active Directory (Windows 10)
+description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).
+ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Join Windows 10 Mobile to Azure Active Directory
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.
+
+## Why join Windows 10 Mobile to Azure AD
+
+
+When a device running Windows 10 Mobile is joined to Azure AD, the device can exclusively use a credential owned by your organization, and you can ensure users sign in using the sign-in requirements of your organization. Joining a Windows 10 Mobile device to Azure AD provides many of the same benefits as joining desktop devices, such as:
+
+-   Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD.
+
+-   SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](https://go.microsoft.com/fwlink/p/?LinkID=746211).
+
+-   SSO to resources on-premises.
+
+-   Automatically enroll in your mobile device management (MDM) service.
+
+-   Enable enterprise roaming of settings. (Not currently supported but on roadmap)
+
+-   Use Windows Store for Business to target applications to users.
+
+## <a href="" id="bkmk-upgrade"></a>Are you upgrading current devices to Windows 10 Mobile?
+
+
+Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account.
+
+If you have existing Windows Phone 8.1 devices, the first thing to understand is whether the devices you have can be upgraded to Windows 10 Mobile. Microsoft will be releasing more information about upgrade availability soon. As more information becomes available, it will be posted at [How to get Windows 10 Mobile]( https://go.microsoft.com/fwlink/p/?LinkId=746312). Premier Enterprise customers that have a business need to postpone Windows 10 Mobile upgrade should contact their Technical Account Manager to understand what options may be available.
+
+Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC.
+
+To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organization’s domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.
+
+If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD.
+
+## <a href="" id="add-work-account"></a>The difference between "Add work account" and "Azure AD Join"
+
+
+Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements.
+
+-   You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account.
+
+-   You can add access to Azure AD-backed resources on the device without resetting the device.
+
+However, neither of these methods provides SSO in the Windows Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
+
+Using **Settings** &gt; **Accounts** &gt; **Your email and accounts** &gt; **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
+
+An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
+
+## Preparing for Windows 10 Mobile
+
+
+-   **Azure AD configuration**
+
+    Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment.
+
+    By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join.
+
+-   **Device setup**
+
+    A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup.
+
+-   **Mobile device management**
+
+    An MDM service is required for managing Azure AD-joined devices. You can use MDM to push settings to devices, as well as application and certificates used by VPN, Wi-Fi, etc. Azure AD Premium or [Enterprise Mobility Suite (EMS)](https://go.microsoft.com/fwlink/p/?LinkID=723984) licenses are required to set up your Azure AD-joined devices to automatically enroll in MDM. [Learn more about setting up your Azure AD tenant for MDM auto-enrollment.](https://go.microsoft.com/fwlink/p/?LinkID=691615)
+
+-   **Windows Hello**
+
+    Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
+
+-   **Conditional access**
+
+    Conditional access policies are also applicable to Windows 10 Mobile. Multifactor authentication and device compliance policies can be applied to users or resources and require that the user or device satisfies these requirements before access to resources is allowed. Policies like **Domain Join** which support traditional domain joining only apply to desktop PC. Policies dependent on IP range will be tough to enforce on a phone as the IP address of the operator is used unless the user has connected to corporate Wi-Fi or a VPN.
+
+-   **Known issues**
+
+    -   The apps for **Device backup and restore** and to sync photos to OneDrive only work with the Microsoft account as the primary account—these apps won’t work on devices joined to Azure AD.
+
+    -   **Find my Phone** will work depending on how you add a Microsoft account to the device—for example, the Cortana application will sign in with your Microsoft account in a way that makes **Find my Phone** work. Cortana and OneNote both work with Azure AD accounts but must be set up with a Microsoft account first.
+
+    -   OneNote requires the user to sign in with a Microsoft account but will also provide access to Notebooks using the Azure AD account.
+
+    -   If your organization is configured to federate with Azure AD, your federation proxy will need to be Active Directory Federation Services (ADFS) or a 3rd party which supports WS-Trust endpoints just like ADFS does.
+
+## How to join Windows 10 Mobile to Azure AD
+
+
+1.  During OOBE, on the **Keep your life in sync** screen, choose the option **Sign in with a work account**, and then tap **Next**.
+
+    ![choose how to sign in](images/aadj1.jpg)
+
+2.  Enter your Azure AD account. If your Azure AD account is federated, you will be redirected to your organization's sign-in page; if not, you enter your password here.
+
+    ![sign in](images/aadj2.jpg)
+
+    If you are taken to your organization's sign-in page, you may be required to provide a second factor of authentication.
+
+    ![multi-factor authentication](images/aadj3.jpg)
+
+3.  After authentication completes, the device registration is complete. If your MDM service has a terms of use page, it would be seen here as well. Federated users are required to provide a password again to complete the authentication to Windows. Users with passwords managed in the cloud will not see this additional authentication prompt. This federated login requires your federation server to support a WS-Trust active endpoint.
+
+    ![enter password](images/aadj4.jpg)
+
+4.  Next, you set up a PIN.
+
+    ![set up a pin](images/aadjpin.jpg)
+
+    **Note**  To learn more about the PIN requirement, see [Why a PIN is better than a password](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password).
+
+     
+
+**To verify Azure AD join**
+
+-   Go to **Settings** &gt; **Accounts** &gt; **Your email and accounts**. You will see your Azure AD account listed at the top and also listed as an account used by other apps. If auto-enrollment into MDM was configured, you will see in **Settings** &gt; **Accounts** &gt; **Work Access** that the device is correctly enrolled in MDM. If the MDM is pushing a certificate to be used by VPN, then **Settings** &gt; **Network & wireless** &gt; **VPN** will show the ability to connect to your VPN.
+
+    ![verify that device joined azure ad](images/aadjverify.jpg)
+
+## Set up mail and calendar
+
+
+Setting up email on your Azure AD joined device is simple. Launching the **Mail** app brings you to the **Accounts** page. Most users will have their email accounts hosted in Office 365 and will automatically start syncing. Just tap **Ready to go**.
+
+![email ready to go](images/aadjmail1.jpg)
+
+When email is hosted in on-premises Exchange, the user must provide credentials to establish a basic authentication connection to the Exchange server. Tap **Add account** to see the types of mail accounts you can add, including your Azure AD account.
+
+![email add an account](images/aadjmail2.jpg)
+
+After you select an account type, you provide credentials to complete setup for that mailbox.
+
+![set up email account](images/aadjmail3.jpg)
+
+Setup for the **Calendar** app is similar. Open the app and you'll see your Azure AD account listed -- just tap **Ready to go**.
+
+![calendar ready to go](images/aadjcal.jpg)
+
+Return to **Settings** &gt; **Accounts** &gt; **Your email and accounts**, and you will see your Azure AD account listed for **Email, calendar, and contacts**.
+
+![email, calendar, and contacts](images/aadjcalmail.jpg)
+
+## Use Office and OneDrive apps
+
+
+Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account.
+
+Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device.
+
+![word](images/aadjword.jpg)
+
+Microsoft PowerPoint shows your recently opened slide decks.
+
+![powerpoint](images/aadjppt.jpg)
+
+The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience.
+
+![onedrive](images/aadjonedrive.jpg)
+
+In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business.
+
+![browser apps](images/aadjbrowser.jpg)
+
+OneNote requires a Microsoft account, but you can use it with your Azure AD account as well.
+
+![sign in to onenote](images/aadjonenote.jpg)
+
+After you sign in to OneNote, go to Settings &gt; Accounts, and you will see that your Azure AD account is automatically added.
+
+![onenote settings](images/aadjonenote2.jpg)
+
+To see the Notebooks that your Azure AD account has access to, tap **More Notebooks** and select the Notebook you want to open.
+
+![see more notebooks](images/aadjonenote3.jpg)
+
+## Use Windows Store for Business
+
+
+[Windows Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users.
+
+![company tab on store](images/aadjwsfb.jpg)
+
+ 
+
+ 
+
+
+
+
+

windows/client-management/manage-corporate-devices.md

@@ -0,0 +1,68 @@
+---
+title: Manage corporate devices (Windows 10)
+description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones.
+ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
+keywords: ["MDM", "device management"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage corporate devices
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10.
+
+## In this section
+
+| Topic | Description |
+| --- | --- |
+| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | 
+| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
+| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
+| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
+| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
+| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start |
+| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices |
+| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations |
+
+
+## Learn more
+
+[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
+
+[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
+
+[Microsoft Intune End User Enrollment Guide](https://go.microsoft.com/fwlink/p/?LinkID=617169)
+
+[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
+
+[Azure AD support for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=615765)
+
+[Windows 10 and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
+
+[How to manage Windows 10 devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620)
+
+[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)
+
+Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208)
+
+
+
+
+
+
+ 
+
+
+
+
+

windows/client-management/manage-settings-app-with-group-policy.md

@@ -0,0 +1,30 @@
+---
+title: Manage the Settings app with Group Policy (Windows 10)
+description: Find out how to manage the Settings app with Group Policy.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: brianlic-msft
+---
+
+# Manage the Settings app with Group Policy
+
+Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+
+This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
+
+![Settings page visibility policy](images/settings-page-visibility-gp.png)
+
+## Configuring the Group Policy
+
+The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). 
+
+>[!NOTE]  
+> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string.
+
+Here are some examples:
+
+- To show only the the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
+- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.
+
+

windows/client-management/manage-windows-10-in-your-organization-modern-management.md

@@ -0,0 +1,123 @@
+---
+title: Manage Windows 10 in your organization - transitioning to modern management
+description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
+keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: devices
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage Windows 10 in your organization - transitioning to modern management
+
+Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
+
+Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
+
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+
+This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
+
+ <iframe width="560" height="315" src="https://www.youtube.com/embed/g1rIcBhhxpA" frameborder="0" allowfullscreen></iframe> 
+
+This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
+
+-   [Deployment and Provisioning](#deployment-and-provisioning)
+
+-   [Identity and Authentication](#identity-and-authentication)
+
+-   [Configuration](#settings-and-configuration)
+
+-   [Updating and Servicing](#updating-and-servicing)
+
+## Reviewing the management options with Windows 10
+
+Windows 10 offers a range of management options, as shown in the following diagram:
+
+<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
+
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+
+## Deployment and Provisioning
+
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+
+
+-   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
+
+-   Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
+
+-   Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+
+You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+
+## Identity and Authentication
+
+You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+
+You can envision user and device management as falling into these two categories:
+
+-   **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+
+    -   For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+
+    -   Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device.
+
+-   **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
+    With Windows 10, if you have an on-premises [Active Directory](https://technet.microsoft.com/windows-server-docs/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/), when employee devices are joined, they automatically register with Azure AD. This provides:
+
+    -   Single sign-on to cloud and on-premises resources from everywhere
+
+    -   [Enterprise roaming of settings](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/)
+
+    -   [Conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) to corporate resources based on the health or configuration of the device
+
+    -   [Windows Hello for Business](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
+
+    -   Windows Hello
+
+    Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
+
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+
+As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
+
+![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png)
+
+## Settings and Configuration
+
+Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
+
+**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go.
+
+**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+
+-   Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
+
+-   Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
+
+You can use the following generalized decision tree to review the management choices for devices in your organization:
+
+![Decision tree for device configuration options](images/windows-10-management-gp-intune-flow.png)
+
+## Updating and Servicing
+
+With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios).
+
+MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
+
+## Next steps
+
+There are a variety of steps you can take to begin the process of modernizing device management in your organization:
+
+-   **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate.
+
+-   **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
+
+-   **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
+
+-   **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability.
+
+-   **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management.

windows/client-management/mandatory-user-profile.md

@@ -0,0 +1,170 @@
+---
+title: Create mandatory user profiles (Windows 10)
+description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
+keywords: [".man","ntuser"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+---
+
+# Create mandatory user profiles
+
+
+**Applies to**
+
+-   Windows 10
+
+> [!NOTE]
+> When a mandatory profile is applied to a PC running Windows 10, version 1511, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update. 
+
+A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. 
+
+Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. 
+
+When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. 
+
+User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
+
+<span id="extension"/>
+## Profile extension for each Windows version
+
+The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
+
+| Client operating system version | Server operating system version | Profile extension |
+| --- | --- | --- |
+| Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none |
+| Windows Vista</br>Windows 7 | Windows Server 2008</br>Windows Server 2008 R2 | v2 |
+| Windows 8 | Windows Server 2012 | v3 |
+| Windows 8.1 | Windows Server 2012 R2 | v4 |
+| Windows 10, versions 1507 and 1511 | N/A | v5 |
+| Windows 10, version 1607 (also known as the Anniversary Update) |  Windows Server 2016 | v6 |
+
+For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
+
+## How to create a mandatory user profile
+
+First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory.
+
+**To create a default user profile**
+
+1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
+
+   > [!NOTE] 
+   > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 
+ 
+2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. 
+
+   >[!NOTE]
+   >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
+
+3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. 
+ 
+3. For devices running Windows 10, use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications: 
+ 
+     - Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
+     - Microsoft.BingWeather_8wekyb3d8bbwe
+     - Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
+     - Microsoft.Getstarted_8wekyb3d8bbwe
+     - Microsoft.Windows.Photos_8wekyb3d8bbwe
+     - Microsoft.WindowsCamera_8wekyb3d8bbwe
+     - Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
+     - Microsoft.WindowsStore_8wekyb3d8bbwe
+     - Microsoft.XboxApp_8wekyb3d8bbwe
+     - Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
+     - Microsoft.ZuneMusic_8wekyb3d8bbwe 
+     
+     >[!NOTE]
+     >Uninstalling these apps will decrease sign-in time. If your deployment needs any of these apps, you can leave them installed.
+
+3. At a command prompt, type the following command and press **ENTER**.
+
+    `sysprep /oobe /reboot /generalize /unattend:unattend.xml` 
+
+    (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
+    
+    >[!TIP]
+    >If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following:
+    
+    >![Microsoft Bing Translator package](images/sysprep-error.png)
+    
+    >Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
+  
+5. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
+
+6. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
+    
+7. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
+
+   ![Example of UI](images/copy-to.png)
+
+8. In **Copy To**, under **Permitted to use**, click **Change**.
+
+   ![Example of UI](images/copy-to-change.png)
+   
+9. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
+
+10. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607.
+
+   - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
+   - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.  
+   
+   ![Example of UI](images/copy-to-path.png) 
+
+9. Click **OK** to copy the default user profile.
+
+
+**To make the user profile mandatory**
+
+ 
+3. In File Explorer, open the folder where you stored the copy of the profile.
+
+    >[!NOTE]
+    >If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
+
+1. Rename `Ntuser.dat` to `Ntuser.man`. 
+
+## How to apply a mandatory user profile to users
+
+In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.
+
+**To apply a mandatory user profile to users**
+
+1. Open **Active Directory Users and Computers** (dsa.msc).
+
+2. Navigate to the user account that you will assign the mandatory profile to.
+
+3. Right-click the user name and open **Properties**.
+
+4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile.
+
+5. Click **OK**.
+
+It may take some time for this change to replicate to all domain controllers.
+
+
+
+## Apply policies to improve sign-in time
+
+When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
+
+
+| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
+| --- | --- | --- | --- | --- |
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
+
+
+
+
+
+
+## Related topics
+
+- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
+- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
+- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
+- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
+
+

windows/client-management/new-policies-for-windows-10.md

@@ -0,0 +1,99 @@
+---
+title: New policies for Windows 10 (Windows 10)
+description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1.
+ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
+keywords: ["MDM", "Group Policy"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# New policies for Windows 10
+
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://go.microsoft.com/fwlink/p/?LinkID=625081).
+
+## New Group Policy settings in Windows 10
+
+
+There are some new policy settings in Group Policy for devices running Windows 10 , such as:
+
+-   Microsoft Edge browser settings
+
+-   Universal Windows app settings, such as:
+
+    -   Disable deployment of Windows Store apps to non-system volumes
+
+    -   Restrict users' application data to always stay on the system volume
+
+    -   Allow applications to share app data between users
+
+-   [Start screen and Start menu layout](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy)
+
+-   Windows Tips
+
+-   Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+
+-   [Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=623294)
+
+-   Windows Updates for Business
+
+For a spreadsheet of Group Policy settings included in Windows, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
+
+## New MDM policies
+
+
+Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile includes settings from Windows Phone 8.1, plus new or enhanced settings for Windows 10, such as:
+
+-   Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
+
+-   Enhanced Bluetooth policies
+
+-   Passport and Hello
+
+-   Device update
+
+-   Hardware-based device health attestation
+
+-   [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout
+
+-   Security
+
+-   [VPN](https://go.microsoft.com/fwlink/p/?LinkId=623295) and enterprise Wi-Fi management
+
+-   Certificate management
+
+-   Windows Tips
+
+-   Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+
+Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+
+If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
+
+No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
+
+## Related topics
+
+
+[Manage corporate devices](manage-corporate-devices.md)
+
+[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10)
+
+[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
+
+ 
+
+ 
+
+
+
+
+

windows/client-management/reset-a-windows-10-mobile-device.md

@@ -0,0 +1,94 @@
+---
+title: Reset a Windows 10 Mobile device (Windows 10)
+description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset.
+ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: mobile
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Reset a Windows 10 Mobile device
+
+
+**Applies to**
+
+-   Windows 10 Mobile
+
+There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.
+
+-   **Factory reset** restores the state of the device back to its first-boot state plus any update packages. The reset will not return device to the original factory state. To return the device to the original factory state, you must flash it with the original factory image by using the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). All the provisioning applied to the device by the enterprise will be lost and will need to be re-applied if needed. For details on what is removed or persists, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkID=703715).
+-   **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkId=703716).
+
+You can trigger a reset using your mobile device management (MDM) service, or a user can trigger a reset in the user interface (UI) or by using hardware buttons.
+
+## Reset using MDM
+
+
+The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=703714) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715).
+
+To perform a factory reset, restoring the device back to its out-of-box state, use the following syncML.
+
+```
+<SyncML xmlns="SYNCML:SYNCML1.2">
+ <SyncBody>
+  <Exec>
+   <CmdID>3</CmdID>
+   <Item>
+    <Target><LocURI>./Vendor/MSFT/RemoteWipe/DoWipe</LocURI></Target>
+   </Item>
+  </Exec> 
+  <Final/>
+ </SyncBody>
+</SyncML>
+```
+
+To perform a "wipe and persist" reset, preserving the provisioning applied to the device before the reset and persisting data files locally, use the following syncML.
+
+```
+<SyncML xmlns="SYNCML:SYNCML1.2">
+    <SyncBody>
+        <Exec>
+            <CmdID>3</CmdID>
+            <Item>                
+                 <Target><LocURI>./Vendor/MSFT/RemoteWipe/DoWipePersistProvisionedData</LocURI></Target>
+            </Item>
+        </Exec>        
+        <Final/>
+ </SyncBody>
+</SyncML>
+```
+
+##  Reset using the UI
+
+
+1.  On your mobile device, go to **Settings** &gt; **System** &gt; **About** &gt; **Reset your Phone**
+
+2.  When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if:
+
+    -   At least one provisioning package has been applied, or
+    -   A file is present in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent.
+
+    If the option to **Also remove provisioned content** is selected, the reset that ensues is a regular factory reset. If the option is not selected, a "wipe and persist" reset is performed.
+
+## Reset using hardware buttons
+
+
+If your phone is unresponsive and you can't reach **Settings**, you may be able to reset your phone using the hardware buttons. Reset using hardware buttons does not give you the option to persist provisioned content. On Lumia phones (and some others), do the following to reset your phone:
+
+1.  Press and hold the **Volume down** and **Power** buttons at the same time until you feel a vibration (about 10–15 seconds).
+
+2.  When you feel the vibration, release the buttons, and then immediately press and hold the **Volume down** button until you see a large exclamation mark.
+
+3.  When the exclamation mark appears, press the following four buttons in this order: **Volume up**, **Volume down**, **Power**, **Volume down**. Your phone should now reset and restart itself. (It might take a while for the reset to finish.)
+
+ 
+
+ 
+
+
+
+
+

windows/client-management/windows-libraries.md

@@ -0,0 +1,127 @@
+---
+ms.assetid: e68cd672-9dea-4ff8-b725-a915f33d8fd2
+title: Windows Libraries
+ms.prod: windows-server-threshold
+ms.author: jgerend
+ms.manager: dongill
+ms.technology: storage
+ms.topic: article
+author: jasongerend
+description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
+---
+# Windows libraries
+
+> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
+
+Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
+
+## Features for Users
+
+Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
+- Aggregate content from multiple storage locations into a single, unified presentation.
+- Enable users to stack and group library contents based on metadata.
+- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
+- Support customized filter search suggestions, based on the types of files contained in the library.
+- Enable users to create new libraries and specify which folders they want to include.
+
+## Features for Administrators
+
+Administrators can configure and control Windows libraries in the following ways:
+- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
+- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.)
+- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
+- Specify locations to include in a library.
+- Remove a default location from a library.
+- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
+
+## More about Libraries
+
+The following is important information about libraries you may need to understand to successfully manage your enterprise.
+
+### Library Contents 
+
+Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files.
+
+### Default Libraries and Known Folders 
+
+The default libraries include:
+- Documents
+- Music
+- Pictures
+- Videos
+
+Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. 
+
+### Hiding Default Libraries 
+
+Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions.
+
+### Default Save Locations for Libraries 
+
+Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
+If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails.
+
+### Indexing Requirements and “Basic” Libraries 
+
+Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality:
+- No support for metadata browsing via **Arrange By** views.
+- Grep-only searches.
+- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
+- No support for searching from the Start menu. Start menu searches do not return files from basic libraries.
+- No previews of file snippets for search results returned in Content mode.
+
+To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally.
+
+For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations).
+
+If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx).
+
+### Folder Redirection 
+
+While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
+
+### Supported storage locations 
+
+The following table show which locations are supported in Windows libraries.
+
+|Supported Locations|Unsupported Locations|
+|---|---|
+|Fixed local volumes (NTFS/FAT)|Removable drives|
+|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
+|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
+||Other data sources: SharePoint, Exchange, etc.|
+
+\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
+
+- Expected maximum load is four concurrent query requests.
+- Expected indexing corpus is a maximum of one million documents. 
+- Users directly access the server. That is, the server is not made available through DFS Namespaces.
+- Users are not redirected to another server in case of failure. That is, server clusters are not used.
+
+### Library Attributes 
+
+The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
+- Name
+- Library locations
+- Order of library locations
+- Default save location
+
+The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
+
+See the [Library Description Schema](http://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. 
+
+## See also 
+
+### Concepts
+
+- [Windows Search Features ](https://technet.microsoft.com/library/dd744686.aspx)
+- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx)
+- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx)
+- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx)
+- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx)
+- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx)
+
+### Other resources
+
+- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx)
+- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx)