- Configure the **Favorite** URLs for your employees.
**Example:**
``
`` **Note**
URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.
- **URI full path.** ./Vendor/MSFT/Policy/Config/ Browser/FirstRunURL
- **Data type.** String
- **Allowed values:**
- Configure the first run URL for your employees.
**Example:**
``
- Configure the first run URL for your employees.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL
- **Data type.** String
- **Allowed values:**
- Configure the first run URL for your employees.
**Example:**
``
- Configure the first run URL for your employees.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages
- **Data type.** String
- **Allowed values:**
- Configure the Home page URLs for your employees.
**Example:**
``
- Configure the Home page URLs for your employees.
FlagsInMicrosoftEdge |Windows 10 Insider Preview |Desktop |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can access the about:flags page in Microsoft Edge.
- **1.** Employees can't access the about:flags page in Microsoft Edge.
PromptOverride |Windows 10, Version 1511 or later |Both |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings.
- **1.** Employees can't ignore SmartScreen warnings.
PromptOverrideForFiles |Windows 10, Version 1511 or later |Both |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings for files.
- **1.** Employees can't ignore SmartScreen warnings for files.
AddressForWebRTC |Windows 10, Version 1511 or later |Desktop |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.
toInternetExplorer |Windows 10 or later |Both |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer/
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1.** Automatically opens all intranet sites using Internet Explorer 11.
InteretExplorerSites |Windows 10 Insider Preview |Desktop |
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can access the about:flags page in Microsoft Edge.
- **1.** Employees can't access the about:flags page in Microsoft Edge.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings.
- **1.** Employees can't ignore SmartScreen warnings.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Employees can ignore SmartScreen warnings for files.
- **1.** Employees can't ignore SmartScreen warnings for files.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.
- **1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.
- **1.** Automatically opens all intranet sites using Internet Explorer 11.
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer
- **Data type.** Integer
- **Allowed values:**
- **0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
- **1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
If you enable this policy setting, IE doesn't load any websites or content in the background.
If you disable this policy setting, IE preemptively loads websites and content in the background.
If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | -|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | -|Turn off phone number detection |`Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing` |IE11 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | -|Allow IE to use the HTTP2 network protocol |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 on Windows 8.1 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.
If you enable this policy setting, IE uses the HTTP2 network protocol.
If you disable this policy setting, IE won't use the HTTP2 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Internet Options settings. The default is on. |
-|Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone`
If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using IE Security settings. |
-|Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone`
- `Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone`
If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using IE Security settings. | -|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
**Important:**
Some ActiveX controls and toolbars may not be available when 64-bit processes are used.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default. | -|Turn off sending UTF-8 query strings for URLs |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |IE11 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
- 0. Never encode query strings.
- 1. Only encode query strings for URLs that aren't in the Intranet zone.
- 2. Only encode query strings for URLs that are in the Intranet zone.
- 3. Always encode query strings.
If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
If you don't configure this policy setting, users can turn this behavior on or off. | -|Turn off the flip ahead with page prediction feature |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |`Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History` |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.
**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions stored for visited website.
This feature is available in the **Delete Browsing History** dialog box.
If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | -|Always send Do Not Track header |`Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page` |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
If you enable this policy setting, IE sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the Always send Do Not Track header option on the Advanced tab of the Internet Options dialog box. By selecting this option, IE sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a DNT:0 header. By default, this option is enabled. | -|Let users turn on and use Enterprise Mode from the **Tools** menu |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you turn this setting on, users can see and use the Enterprise Mode option from the **Tools** menu. If you turn this setting on, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | -|Use the Enterprise Mode IE website list |`Administrative Templates\Windows Components\Internet Explorer` |IE11 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, IE downloads the website list from `HKCU` or `HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server (https://), to help protect against data tampering.
If you disable or don’t configure this policy setting, IE opens all websites using Standard mode. | +|Policy |Category Path |Supported on |Explanation | +|-------|--------------|-------------|------------| +|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.
If you enable this policy setting, IE doesn't load any websites or content in the background.
If you disable this policy setting, IE preemptively loads websites and content in the background.
If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | +|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. | +|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | +|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.
**Note**
We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
+|Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.
If you enable this policy setting, IE uses the HTTP2 network protocol.
If you disable this policy setting, IE won't use the HTTP2 network protocol.
If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
+|Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
+|Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | +|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
+|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
- **0.** Never encode query strings.
- **1.** Only encode query strings for URLs that aren't in the Intranet zone.
- **2.** Only encode query strings for URLs that are in the Intranet zone.
- **3.** Always encode query strings.
If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. | +|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
If you don't configure this policy setting, users can turn this behavior on or off. | +|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
+|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | +|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | +|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | +|Allow only approved domains to use the TDC ActiveX control |
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
- Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. | +|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+|Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.
To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
- 0 – Restricted Sites zone
- 0 – Internet zone
- 0 – Trusted Sites zone
- 0 – Local Intranet zone
- 0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
- 0 – Restricted Sites zone
- 0 – Internet zone
- 0 – Trusted Sites zone
- 1 – Local Intranet zone
- 0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
- 1 – Restricted Sites zone
- 0 – Internet zone
- 1 – Trusted Sites zone
- 1 – Local Intranet zone
- 1 – Local Machine zone
**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.**Important:**
By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
+|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
+|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | +|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | +|Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.
If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.
If you disable or don't configure this policy setting, all sites will open based on the currently active browser.
**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
+|Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ## Removed Group Policy settings IE11 no longer supports these Group Policy settings: @@ -45,16 +88,9 @@ IE11 no longer supports these Group Policy settings: ## Viewing your policy settings After you've finished updating and deploying your Group Policy, you can use the Resultant Set of Policy (RSoP) snap-in to view your settings. -  **To use the RSoP snap-in** +**To use the RSoP snap-in** 1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see. 2. Open your wizard results in the Group Policy Management Console (GPMC).
-For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](http://go.microsoft.com/fwlink/p/?LinkId=395201)
-
-
-
-
-
-
-
+For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](http://go.microsoft.com/fwlink/p/?LinkId=395201)
\ No newline at end of file
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index 485c432a26..b127e38f53 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -19,7 +19,7 @@
### [Manage Microsoft Surface Hub](manage-surface-hub.md)
#### [Accessibility](accessibility-surface-hub.md)
#### [Change the Surface Hub device account](change-surface-hub-device-account.md)
-#### [Device reset](device-reset-suface-hub.md)
+#### [Device reset](device-reset-surface-hub.md)
#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md)
#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
#### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md)
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 7fd65a2aa4..e3c0f7b0dc 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
+localizationpriority: high
---
# Appendix: PowerShell (Surface Hub)
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 0760c66e33..9a508b735d 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
+localizationpriority: high
---
# Change the Microsoft Surface Hub device account
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 35d14c4df5..5291c1653e 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -130,7 +130,7 @@ When a Surface hub is connected to guest computer with the wired connect USB por
- HID-compliant mouse
-**Universal serial bus conntrollers**
+**Universal serial bus controllers**
- Generic USB hub
@@ -224,7 +224,7 @@ In replacement PC mode, the embedded computer of the Surface Hub is turned off a
### Software requirements
-You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
+You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC.
### Hardware requirements
@@ -389,7 +389,7 @@ Replacement PC ports on 84" Surface Hub.
**To use replacement PC mode**
-1. Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) on the replacement PC.
+1. Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) on the replacement PC.
**Note** We recommend that you set sleep or hibernation on the replacement PC so the Surface Hub will turn off the display when it isn't being used.
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index a39e64d4cc..4197cf75dd 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
+localizationpriority: high
---
# Create a device account using UI (Surface Hub)
@@ -29,7 +30,7 @@ If you prefer to use a graphical user interface, you can create a device account
1. Sign in to Office 365 by visiting http://portal.office.com/admin/
2. Provide the admin credentials for your Office 365 tenant. This will take you to your Office 365 Admin Center.
- 
+ 
3. Once you are at the Office 365 Admin Center, navigate to **Users** in the left panel, and then click **Active Users**.
@@ -37,13 +38,13 @@ If you prefer to use a graphical user interface, you can create a device account
4. On the controls above the list of users, click **+** to create a new user. You'll need to enter a **Display name**, **User name**, **Password** and an email address for the recipient of the password. Optionally you can change the password manually, but we recommend that you use the auto-generated option. You also need to assign this account a license that gives the account access to Exchange and Skype for Business services.
- 
+ 
Click **Create**.
5. Once the account has been successfully created, click **Close** on the resulting dialog box, and you will see the admin center Active Users list again.
- 
+ 
6. Select the user you just created from the **Active Users** list. You need to disable the Skype for Business license, because you can’t create a Skype Meeting Room with this option.
@@ -51,7 +52,7 @@ If you prefer to use a graphical user interface, you can create a device account
In the right panel you can see the account properties and several optional actions. The process so far has created a regular Skype account for this user, which you need to disable. Click **Edit** for the **Assigned license** section, then click the dropdown arrow next to the license to expand the details.
- 
+ 
From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
@@ -59,39 +60,39 @@ If you prefer to use a graphical user interface, you can create a device account
1. In the Office 365 Admin Center’s left panel, click **ADMIN**, and then click **Exchange**.
- 
+ 
2. This will open another tab on your browser to take you to the Exchange Admin Center, where you can create and set the Mailbox Setting for Surface Hub.
- 
+ 
3. To create a Mobile Device Mailbox Policy, click **Mobile** from the left panel and then click **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
- 
+ 
4. To create a New Surface Hub mobile device mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name, provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). Make sure the policy does not require a password for the devices assigned to, so make sure **Require a Password** remains unchecked, then click **Save**.
- 
+ 
5. After you have created the new mobile device mailbox policy, go back to the **Exchange Admin Center** and you will see the new policy listed.
- 
+ 
6. Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** > **Mailboxes** and then select a mailbox.
- 
+ 
7. In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
- 
+ 
8. The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
- 
+ 
9. Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
- 
+ 
### Use PowerShell to complete device account creation
@@ -107,11 +108,11 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
1. Run Windows PowerShell as Administrator.
- 
+ 
2. Create a Credentials object, then create a new session that connects to Skype for Business Online, and provide the global tenant administrator account, then click **OK**.
- 
+ 
3. To connect to Microsoft Online Services, run:
@@ -119,7 +120,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
Connect-MsolService -Credential $Cred
```
- 
+ 
4. Now to connect to Skype for Business Online Services, run:
@@ -127,7 +128,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
$sfbsession = New-CsOnlineSession -Credential $cred
```
- 
+ 
5. Finally, to connect to Exchange Online Services, run:
@@ -136,7 +137,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
```
- 
+ 
6. Now you have to import the Skype for Business Online Session and the Exchange Online session you have just created, which will import the Exchange and Skype Commands so you can use them locally.
@@ -147,7 +148,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
Note that this could take a while to complete.
- 
+ 
7. Once you’re connected to the online services you need to run a few more cmdlets to configure this account as a Surface Hub device account.
@@ -180,11 +181,11 @@ Now that you're connected to the online services, you can finish setting up the
You will see the correct email address.
- 
+ 
2. You need to convert the account into to a room mailbox, so run:
- 
+ 
``` syntax
Set-Mailbox $strEmail -Type Room
@@ -196,7 +197,7 @@ Now that you're connected to the online services, you can finish setting up the
Set-Mailbox $strEmail -RoomMailboxPassword (ConvertTo-SecureString -String "
- 
+ 
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
- 
+ 
- Click **Finish** to create the account.
- 
+ 
2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
@@ -223,17 +224,17 @@ Use this procedure if you use Exchange online.
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
- 
+ 
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
- 
+ 
- Click **Finish** to create the account.
- 
+ 
6. Directory synchronization.
diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png
new file mode 100644
index 0000000000..bdb16e8e20
Binary files /dev/null and b/devices/surface-hub/images/sh-settings-reset-device.png differ
diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png
new file mode 100644
index 0000000000..44bb2202f0
Binary files /dev/null and b/devices/surface-hub/images/sh-settings-update-security.png differ
diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png
new file mode 100644
index 0000000000..12783739ed
Binary files /dev/null and b/devices/surface-hub/images/sh-settings.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index f526e77791..cef4139e97 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
+localizationpriority: high
---
# Microsoft Surface Hub
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 2e6754e6cc..2056f2a6f7 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -2,7 +2,7 @@
title: Install apps on your Microsoft Surface Hub
description: Admins can install apps can from either the Windows Store or the Windows Store for Business.
ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94
-keywords: [install apps, Windows Store, Windows Store for Business
+keywords: install apps, Windows Store, Windows Store for Business
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md
index 584dc26a5e..f8903f20cd 100644
--- a/devices/surface-hub/intro-to-surface-hub.md
+++ b/devices/surface-hub/intro-to-surface-hub.md
@@ -37,7 +37,7 @@ The capabilities of your Surface Hub will depend on what other Microsoft product
Meetings using Skype for Business Device account with Skype for Business (Lync 2010 or later) or Skype for Business Online, and a network connection so the account can be accessed. Device account with Skype for Business (Lync Server 2013 or later) or Skype for Business Online, and a network connection so the account can be accessed. Web browsing through Microsoft Edge Walk through the process of customizing the Surface out-of-box experience for end users in your organization. [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit. [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. [Surface Dock Updater](surface-dock-updater.md) Get a detailed walkthrough of Microsoft Surface Dock Updater. [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
+ [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) Find out how to perform a Windows 10 upgrade deployment to your Surface devices. The **Add or Edit Enterprise Network Locations box** closes.
+ The **Add corporate network definition** box closes.
-3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy. Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+4. Decide if you want to Windows to look for additional network settings:
- 
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
-## Choose your optional EDP-related settings
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+ After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+
+#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name *EFSDRA*; however, this name can be replaced with anything that makes sense to you.
+
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-**To add a UWP app**
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+**To add a store app**
-2. Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them by following these steps.
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
- **To find the Publisher and Product name values for Microsoft Store apps without installing them**
+ 
- 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
- 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
- 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
+ Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
- The API runs and opens a text editor with the app details.
+4. Pick **Store App** from the **Rule template** drop-down list.
- ``` json
+ The box changes to show the store app rule options.
+
+5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+
+1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+ >**Note** For example:
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
- 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
- **Important** **Important** For example: For example:
+ ```json
{
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
- 
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
-**To add a Classic Windows application**
+**To add a desktop app to your policy**
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
-1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
- A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
+ 
-2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
+
+ Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
+
+4. Pick **Desktop App** from the **Rule template** drop-down list.
+
+ The box changes to show the desktop app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
This option is recommended for enlightened apps that weren't previously enlightened. After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
+|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
+|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data. After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-## Define your enterprise-managed identity domains
-Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
+### Define your enterprise-managed identity domains
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
+**To add your corporate identity**
-
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-**To add your primary domain**
+ 
-- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
-If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-## Choose where apps can access enterprise data
-After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
+There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-**To specify where your protected apps can find and send enterprise data on the network**
+>**Important** For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the | delimiter. Include the "|" delimiter just before the "|" if you don’t use proxies. For example: [URL,Proxy]|[URL,Proxy]. **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges. If you have multiple ranges, you must separate them using the "," delimiter. If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges. If you have multiple ranges, you must separate them using the "," delimiter. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter.
-The **Add or Edit Enterprise Network Locations box** closes.
+ The **Add or edit corporate network definition** box closes.
-3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.
-Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+4. Decide if you want to Windows to look for additional network settings.
-## Choose your optional EDP-related settings
+ 
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+ After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+
+#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+
+>**Important**
-A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+
+ 
+
+ A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
- 
## Deploy the EDP policy
After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
@@ -283,15 +536,6 @@ After you’ve created your EDP policy, you'll need to deploy it to your organiz
- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
## Related topics
-- [System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
-
-
-
-
-
-
-
-
-
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
index a1b2db57b3..fdf497e545 100644
--- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
+++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
@@ -1,112 +1,5 @@
---
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
-description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
-ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
+redirect_url: device-guard-deployment-guide.md
---
-# Create a Device Guard code integrity policy based on a reference device
-**Applies to**
-- Windows 10
-
-To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
-
-## Create a Device Guard code integrity policy based on a reference device
-
-To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see [Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md).
-> **Note:** Before creating a code integrity policy, make sure your reference device is clean of viruses and malware.
-
-**To create a code integrity policy based on a reference device**
-
-1. On your reference device, start PowerShell as an administrator.
-2. In PowerShell, initialize variables by typing:
- ``` syntax
- $CIPolicyPath=$env:userprofile+"\Desktop\"
- $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
- $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"
- ```
-3. Scan your device for installed applications and create a new code integrity policy by typing:
- ``` syntax
- New-CIPolicy -Level Hash Specifies individual hash values for each discovered app. Each time an app is updated the hash value will change and you will need to update your policy. FileName Currently unsupported. SignedVersion Currently unsupported. Publisher This level is a combination of the PCA certificate and the common name (CN) on the leaf certificate. When a PCA certificate is used to sign apps from multiple companies (such as VeriSign), this rule level allows you to trust the PCA certificate but only for the company whose name is on the leaf certificate. FilePublisher Currently unsupported. LeafCertificate Adds trusted signers at the individual signing certificate level. When an app is updated, the hash value is modified but the signing certificate stays the same. You will only need to update your policy if the signing certificate for an app changes. PcaCertificate Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, as the scan does not validate anything above the presented signature by going online or checking local root stores. RootCertificate Currently unsupported. WHQL Currently unsupported. WHQLPublisher Currently unsupported. WHQLFilePublisher Currently unsupported. Trusted Platform Module (TPM) version 1.2 or 2.0 TPM 1.2 and 2.0 provides protection for encryption keys that are stored in the firmware and are used by Credential Guard. See the following table to determine which TPM versions are supported on your OS. TPM 1.2 and 2.0 provides protection for encryption keys used by virtualization-based security to protect Credential Guard secrets where all other keys are stored. See the following table to determine which TPM versions are supported on your OS. 0. If present, no relevant properties exist on the device. 1. If present, hypervisor support is available. 2. If present, Secure Boot is available. 3. If present, DMA protection is available. 0. Nothing is required. 1. If present, Secure Boot is needed. 2. If present, DMA protection is needed. 3. If present, both Secure Boot and DMA protection are needed. 0. No services configured. 1. If present, Credential Guard is configured. 2. If present, HVCI is configured. 0. No services running. 1. If present, Credential Guard is running. 2. If present, HVCI is running. 0. VBS is not enabled. 1. VBS is enabled but not running. 2. VBS is enabled and running. Windows 10 Enterprise The PC must be running Windows 10 Enterprise. UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Virtualization extensions The following virtualization extensions are required to support virtualization-based security: Firmware lock The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. Work with your hardware manufacturer to ensure that the devices are Device Guard ready You should require a firmware password or higher authentication to change firmware settings. x64 architecture The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC. A VT-d or AMD-Vi IOMMU (Input/output memory management unit) In Windows 10, an IOMMU enhances system resiliency against memory attacks. Secure firmware update process To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement. Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes. Signed processor microcode updates If the processor supports it, you must require signed microcode updates. Windows 10 Enterprise The PC must be running Windows 10 Enterprise. UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Virtualization extensions The following virtualization extensions are required to support virtualization-based security: Firmware lock The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. Work with your hardware manufacturer to ensure that the devices are Device Guard ready. You should require a firmware password or higher authentication to change firmware settings. x64 architecture The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC. A VT-d or AMD-Vi IOMMU (Input/output memory management unit) In Windows 10, an IOMMU enhances system resiliency against memory attacks. Secure firmware update process To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement. Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes. Signed processor microcode updates If the processor supports it, you must require signed microcode updates. 0. If present, no relevant properties exist on the device. 1. If present, hypervisor support is available. 2. If present, Secure Boot is available. 3. If present, DMA protection is available. 0. Nothing is required. 1. If present, Secure Boot is needed. 2. If present, DMA protection is needed. 3. If present, both Secure Boot and DMA protection are needed. 0. No services configured. 1. If present, Credential Guard is configured. 2. If present, HVCI is configured. 0. No services running. 1. If present, Credential Guard is running. 2. If present, HVCI is running. 0. VBS is not enabled. 1. VBS is enabled but not running. 2. VBS is enabled and running. start <drive_letter>: Specifies to start a scan. For example, starting to scan the C: drive. -path File path to the package being inspected. stop <drive_letter>: Specifies that a scan of the specified location is complete, creating either a catalog or a definition file. For example, C: scan <path to scan> Specifies a directory path to scan. This command recursively scans a specified directory and includes all signable files in the catalog. -out Specifies what type of info should be created by the tool. You can use either -listpath Specifies the location where the installer will output the list of files for -cdfPath <file_name> Specifies where the tool should put the created .cdf file. If you use this option, you must also specify the file name. We recommend that you use the full path to the file. However, relative paths are supported. -resdir This option isn't currently supported. -name This option isn't currently supported. -ph Specifies whether to include page hashes in the catalog. You can use either -en Specifies the catalog's encoding type. By default, it's PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x00010001. -ca1 Specifies the CATATTR1 in the catalog and catalog definition files. -ca2 Specifies the CATATTR2 in the catalog and catalog definition files. signtool Specifies the full path location to SignTool.exe. sign Digitally signs files. For a list of the options supported by the sign command, see the [SignTool options](http://go.microsoft.com/fwlink/p/?LinkId=619283). /n SubjectName Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name. /f SignCertFileLocation Specifies the signing certificate in a file. If the file is in .pfx format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the .csp and private key container name. /p Password Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file.) /fd Algorithm Specifies the file digest algorithm to use for creating file signatures. The default is SHA2. /v Displays verbose output regardless of whether the command runs successfully or fails, and displays warning messages. No. Setting Detailed Description Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options 1 Policy name [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md) Policy setting Enabled 2 Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Policy name [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md) Policy setting Enabled 3 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry value name LocalAccountTokenFilterPolicy Registry value type DWORD Registry value data 0 No. Setting Detailed Description Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment 1 Policy name [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md) Policy setting User name of the default Administrator account (Might be renamed through policy.) 2 Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Policy name [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md) Policy setting User name of the default Administrator account (Might be renamed through policy).
You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
@@ -89,13 +89,4 @@ Use the following table to identify the scenarios that require Azure Rights Mana
## Next steps
After deciding to use EDP in your enterprise, you need to:
-- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
-
-
-
-
-
-
-
-
-
+- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
\ No newline at end of file
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
new file mode 100644
index 0000000000..9db41d44f1
--- /dev/null
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -0,0 +1,124 @@
+---
+title: Requirements and deployment planning guidelines for Device Guard (Windows 10)
+description: To help you plan a deployment of Microsoft Device Guard, this article describes hardware requirements for Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+author: brianlic-msft
+---
+
+# Requirements and deployment planning guidelines for Device Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This article describes the following:
+
+- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
+ - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
+ - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
+- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)
+- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
+- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
+
+The information in this article provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+## Hardware, firmware, and software requirements for Device Guard
+
+To deploy Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats.
+
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Device Guard, see [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md).
+
+You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
+
+The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features.
+
+
+
+> **Notes**
+> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
+
+## Device Guard requirements for baseline protections
+
+|Baseline Protections - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**, Well-Known SID/RID S-1-5-7 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-11 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights [Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight [Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege [Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege Well-Known SID/RID S-1-5-3 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-3-1 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-3-0 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-1 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-64-21 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-9 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights Assignment [Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight [Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight Well-Known SID/RID S-1-1-0 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights [Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight [Act as part of the operating system](act-as-part-of-the-operating-system.md): SeTcbPrivilege [Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege Well-Known SID/RID S-1-5-4 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-19 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default user rights [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege [Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege [Change the system time](change-the-system-time.md): SeSystemtimePrivilege [Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege [Create global objects](create-global-objects.md): SeCreateGlobalPrivilege [Generate security audits](generate-security-audits.md): SeAuditPrivilege [Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege [Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege Well-Known SID/RID S-1-5-18 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-2 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-20 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege [Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege [Create global objects](create-global-objects.md): SeCreateGlobalPrivilege [Generate security audits](generate-security-audits.md): SeAuditPrivilege [Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege [Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege [Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege Well-Known SID/RID S-1-5-64-10 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-1000 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-10 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-14 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-12 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-64-14 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-6 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights [Create global objects](create-global-objects.md): SeCreateGlobalPrivilege [Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege Well-Known SID/RID S-1-5-13 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID S-1-5-15 Object Class Foreign Security Principal Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights None Well-Known SID/RID Object Class Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> Default User Rights [Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege [Increase a process working set](increase-a-process-working-set.md): SeIncreaseWorkingSetPrivilege [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. [Device Guard deployment guide](device-guard-deployment-guide.md) Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. [Microsoft Passport guide](microsoft-passport-guide.md) This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout. Assign to employees X Add to private store X Remove from private store X View license details X View product details X X Download for offline use X Assign to employees X Add to private store X Remove from private store X View license details X View product details X X Download for offline use X Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) [Windows 10 servicing options](introduction-to-windows-10-servicing.md) This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. **Note** **Important** **Important** **Important** **Note** **Important** **Important** **Note** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** Use this setting if you only want to support Azure AD in your organization. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required. **Note** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **Important** ACT Community An online environment that enables ACT users to share issues and solution data with other registered ACT users. ACT Log Processing Service (LPS) The service that processes the log files uploaded from your client computers, adding the information to your ACT database. AppHelp message A type of compatibility fix. An AppHelp message is designed to appear when a user starts an application that has compatibility issues. The message can prevent the application from starting, or simply provide information about compatibility issues in the application. Application Compatibility Manager (ACM) The user interface that enables you to view reports generated from the ACT database. This is also where you create data-collection packages. Compatibility Administrator A tool that enables you to create and deploy compatibility fixes, compatibility modes, and AppHelp messages, to resolve your compatibility issues. compatibility fix A small piece of code that intercepts API calls from applications, transforming them so that Windows will provide the same product support for the application as previous versions of the operating system. Previously known as a "shim". compatibility mode Group of compatibility fixes found to resolve many common application compatibility issues. compatibility solution The solution to a known compatibility issue, as entered by the user, Microsoft, or a vendor. data-collection package A Windows installer (.msi) file created by Application Compatibility Manager (ACM) for deploying to each of your client computers. Data-collection packages include inventory collection packages and runtime analysis packages. deployment The process of distributing and installing a software program throughout an entire organization. A deployment is not the same as a pilot, which is where you provide the software application to a smaller group of users to identify and evaluate problems that might occur during the actual deployment. independent software vendor (ISV) An individual or an organization that independently creates computer software. inventory-collector package A package that examines each of your organization's computers to identify the installed applications and system information. You can view the results on the Analyze screen in ACM. Microsoft Compatibility Exchange A web service that transfers compatibility information between Microsoft and the ACT database. runtime-analysis package A data-collection package that you deploy to computers in a test environment for compatibility testing. The runtime-analysis package includes tools for monitoring applications for compatibility issues and submitting compatibility feedback. session 0 The session that is used for all of the system services. Previously, users could run in Session 0 without issues; however, this was changed in Windows Vista so that all users are now required to run in Session 1 or later. shim See Other Term: compatibility fix User Account Control (UAC) A security feature that helps prevent unauthorized changes to a computer, by asking the user for permission or administrator credentials before performing actions that could potentially affect the computer's operation or that change settings that affect multiple users. [Welcome to ACT](welcome-to-act.md) The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization. [Configuring ACT](configuring-act.md) This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. [Using ACT](using-act.md) This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. [Troubleshooting ACT](troubleshooting-act.md) This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). [ACT User Interface Reference](act-user-interface-reference.md) This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). [ACT Product and Documentation Resources](act-product-and-documentation-resources.md) The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). [ACT Glossary](act-glossary.md) The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. Opens the Application Compatibility Manager Overview screen. Collect toolbar Analyze toolbar Opens the New Data Collection Package dialog box. For more information, see [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md). Collect toolbar Exports your data-collection package settings. For more information, see [Exporting a Data-Collection Package](exporting-a-data-collection-package.md). Collect toolbar Deletes a data-collection package that has not yet run on your client computers. For more information, see [Deleting a Data-Collection Package](deleting-a-data-collection-package.md). Collect toolbar Imports an existing compatibility report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md). Analyze toolbar Saves a compatibility report, including your preferences and settings. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md). Analyze toolbar Exports your report data to a Microsoft® Excel® spreadsheet (.xls) file. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md). Analyze toolbar Synchronizes your compatibility data with the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md). Analyze toolbar Turns the query builder on or off. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md). Analyze toolbar Opens the Set Assessment dialog box. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md). Analyze toolbar Report Details toolbar Opens the Set Deployment Status dialog box. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md). Analyze toolbar Report Details toolbar Opens the Assign Categories dialog box. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md). Analyze toolbar Report Details toolbar Opens the Assign Priorities dialog box. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md). Analyze toolbar Report Details toolbar Opens the Send and Receive Status dialog box. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md). Analyze toolbar Report Details toolbar Opens the Add Issue dialog box. For more information, see [Adding or Editing an Issue](adding-or-editing-an-issue.md). Report Details toolbar Opens the Add Solution dialog box. For more information, see [Adding or Editing a Solution](adding-or-editing-a-solution.md). Report Details toolbar Saves a compatibility issue. Add Issue dialog box Reactivates a resolved compatibility issue. For more information, see [Resolving an Issue](resolving-an-issue.md). Add Issue dialog box Refreshes the screen. If you are using the query builder, updates the screen with the query results. Collect toolbar Analyze toolbar Data Collection Package - Status toolbar Report Details toolbar Enables you to scroll up and down the screen or dialog box information, showing the related details. This button may not be available for all issues or information. Report Details toolbar Add Issue dialog box New Data Collection Package dialog box Data Collection Package - Status toolbar Opens the online Help system. All screens [Toolbar Icons in ACM](act-toolbar-icons-in-acm.md) The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). [Ratings Icons in ACM](ratings-icons-in-acm.md) Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. [Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md) The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). [Settings for ACM](settings-for-acm.md) This section provides information about settings that you can configure in Application Compatibility Manager (ACM). Title Can be up to 100 characters in length. Solution Type You must select a value from the list. Solution Details Information about your solution, including the steps to reproduce your fix. Solution Details URL URL for a page that shows more information about the solution. Title Can be up to 256 characters in length. Priority You must select a value from the list. Severity You must select a value from the list. Symptom You must select a value from the list. Cause You must select a value from the list. Affected Operating Systems Operating systems on which the issue occurs. You must select at least one operating system. Issue Description Description of the issue, including the steps to reproduce the problem. Link to More Information URL for a page that shows more information about the issue. [Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md) This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. [Organizing Your Compatibility Data](organizing-your-compatibility-data.md) This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). [Filtering Your Compatibility Data](filtering-your-compatibility-data.md) You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md) The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. This process involves checking for updated compatibility information from Microsoft over the Internet. You can send and receive data to keep Application Compatibility Manager (ACM) updated with the latest compatibility information. Assessment Shows the compatibility ratings for the application from the application vendor, your internal organization, and the ACT Community. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md). Issues For each issue associated with the selected application, shows: The issue status, either active (a red X) or resolved (a green check mark). The provider who created the record of the issue. The severity of the issue as entered by the provider. The symptom of the issue as entered by the provider. The date on which the issue was added to the ACT database. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md). Application Properties Shows the following properties for the selected application: MSI. Shows the installer name, vendor, version, language, and so on. Add/Remove Programs. Shows the application name that appears in Control Panel, vendor, registry path, and string for uninstalling. Shell. Shows the shortcuts for the application and where the shortcuts appear on the Start menu. Registry. Shows the registry name for the application, registry path, file name, and so on. Service Control Manager. Shows the entries in the Services console that correspond to the application. Computers Shows the following information for each of the computers that have the specified application installed: Computer name, domain, and operating system. Media Access Control (MAC) address for the computer. Manufacturer of the computer. Labels Shows the label for the selected application. For information about labels, see [Labeling Data in ACM](labeling-data-in-acm.md). Feedback Shows feedback that your testers have submitted to the ACT database for the selected application. [Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md) The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. From the computers in your test environment, you can use Compatibility Monitor to submit compatibility information to the Application Compatibility Toolkit (ACT) database for your organization. [Common Compatibility Issues](common-compatibility-issues.md) Compatibility issues tend to occur with the following technologies: Details Shows the following information for the selected computer: The computer name, operating system, architecture, and domain. The IP address, Media Access Control (MAC) address, and hardware identifier. The manufacturer, asset tag, and system number. The hardware specifications. Applications Shows the following information for each of the applications installed on the selected computer: The application name, version number, and application vendor. The compatibility rating for the application as determined by your organization. The compatibility information from the application vendor. The compatibility information from the ACT Community, which you can view if you are a member of the ACT Community. For more information, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md). The issues that have been opened for the application. The count of computers in your organization on which the application is installed. Devices Shows the following information for each of the devices installed on the selected computer: The model and manufacturer of the device. An evaluation of whether the device works on a 32-bit operating system or a 64-bit operating system. The class of device, as reported by the device. The count of computers in your organization on which the device is installed. Labels Shows the label for the selected computer. For information about labels, see [Labeling Data in ACM](labeling-data-in-acm.md). [ACT Tools, Packages, and Services](act-tools-packages-and-services.md) The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) [ACT Deployment Options](act-deployment-options.md) While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. [ACT Database Configuration](act-database-configuration.md) The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169). [ACT Database Migration](act-database-migration.md) The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database. [ACT LPS Share Permissions](act-lps-share-permissions.md) To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. Supports a large number of servers in a limited amount of physical space. You can run as many virtual servers as the physical computer’s resources allow. Easily shares your test environment between teams. For example, your test team can create a virtualized test environment and then provide a copy to your development team for use in its development processes. Supports multiple users performing simultaneous testing, mimicking the ability for each user to have a dedicated test environment. Easily restores your environment to a previous state. For example, you can revert to a previous state by using the Undo Disks option. May reduce performance. Virtualized servers may be slower than their physical counterparts. The performance of virtualized servers is reduced because physical resources such as disks are virtualized. May not support all applications and device drivers. Some hardware-specific device drivers and applications are not supported in virtualized servers. [Adding or Editing an Issue](adding-or-editing-an-issue.md) In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. [Adding or Editing a Solution](adding-or-editing-a-solution.md) If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. [Resolving an Issue](resolving-an-issue.md) You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. [<OperatingSystem> - Application Report](act-operatingsystem-application-report.md) Application Name Version Company My Assessment User Assessment Send/Receive Status Vendor Assessment Community Assessment Active Issues Computers Resolved Issues Language Priority Deployment Status Issues with Solutions [<OperatingSystem> - Computer Report](act-operatingsystem-computer-report.md) Computer Name Applications with Issues Devices with Issues Operating System Domain Applications Devices Priority [<OperatingSystem> - Device Report](act-operatingsystem-device-report.md) Model Manufacturer Assessment Device Class Computers Assessment Priority [Internet Explorer - Web Site Report](internet-explorer-web-site-report.md) Web Site My Assessment Active Issues Resolved Issues None Risk assessment The determination of whether the application has compatibility issues. Symptom Behavior exhibited by the application. Cause Reason for the failure. Provider and subprovider Source of the compatibility issue. Issue ID A unique ID number for the compatibility issue. Severity Impact this issue has on the application experience. Priority Degree of impact that this issue has on your organization. Published Date Date that the source entered the data into the database. Operating system name Friendly name of the installed operating system. Major version Major version number of the operating system. Minor version Minor version number of the operating system. Locale Language ID of the application to which the compatibility issue applies. Title Short title of the compatibility issue. Summary Description of the compatibility issue. Service pack major Major version number of the operating system service pack. Service pack minor Minor version number of the operating system service pack. URL HREF URL of any links provided for the compatibility issue. Provider and subprovider IDs IDs for the source of the compatibility issue's solution. Solution type Type of solution provided for the compatibility issue. Locale Language ID of the application to which the solution applies. Title Short title of the solution. Details Description of the solution. URL HREF URL of any links provided for the compatibility issue solution. Works The count of Works ratings, for 32-bit and 64-bit operating systems. Works with Minor Issues or has Solutions The count of Works with Minor Issues or has Solutions ratings, for 32-bit and 64-bit operating systems. Does Not Work The count of Does Not Work ratings, for 32-bit and 64-bit operating systems.
### Create a source file that contains the user and group accounts
@@ -448,8 +448,8 @@ After you have selected your user and group account bulk import method, you’re
| Method | Source file format |
|--------| -------------------|
-|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).|
| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
### Import the user accounts into AD DS
@@ -460,8 +460,8 @@ With the bulk-import source file finished, you’re ready to import the user and
For more information about how to import user accounts into AD DS by using:
-- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
-- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).
- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
### Summary
@@ -702,14 +702,14 @@ The first step in preparation for Windows 10 deployment is to configure—that i
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services. The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com//library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
### Summary
@@ -897,7 +897,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Details Shows the following information for the selected device: The model and manufacturer of the device. The class of device, as reported by the device. An evaluation of whether the device works on a 32-bit operating system or a 64-bit operating system. Computers Shows the following information for each of the computers on which the device is installed: Computer name, domain, and operating system. The count of installed applications and devices. The count of installed applications and devices that have issues. And/Or If you select And, your data must match all query rows to appear as a returned result. If you select Or, your data can match any query row to appear as a returned result. Field Select filter criteria. Operator Select an operator. The available operators depend on the field that you choose. Value Type or select a value. [Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md) You can fix a compatibility issue by changing the code for the application or by deploying a workaround. [SUA User's Guide](sua-users-guide.md) You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following: [Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md) When you create a data-collection package in Application Compatibility Manager (ACM), you can select an output location for your log files. You have the following options: [Exporting a Data-Collection Package](exporting-a-data-collection-package.md) In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. [Deleting a Data-Collection Package](deleting-a-data-collection-package.md) In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. [Labeling Data in ACM](labeling-data-in-acm.md) Application data and its associated compatibility issues can vary within an organization. For example, the applications used by a Human Resources (HR) department might differ from the applications used by a Sales department. Even for applications that are used across an organization, different compatibility issues might be found for each business group because of the unique application use by each business group. [<OperatingSystem> - Application Report](act-operatingsystem-application-report.md) Yes Yes Yes Yes Yes Yes [<OperatingSystem> - Computer Report](act-operatingsystem-computer-report.md) No No Yes Yes No No [<OperatingSystem> - Device Report](act-operatingsystem-device-report.md) No No Yes Yes No No [<WebsiteURL> Dialog Box](websiteurl-dialog-box.md) Yes Yes Yes Yes Yes Yes [Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md) The following table shows which tasks can be performed for each report type. [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md) You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. Your rating applies to your entire organization and is based on your own testing results and organizational requirements. [Selecting Your Deployment Status](selecting-your-deployment-status.md) In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md) To customize and filter your compatibility reports, you can create categories and subcategories to assign to your applications, computers, devices, and websites. By default, Microsoft provides the following categories: [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md) You can prioritize your applications, websites, computers, and devices to help customize and filter your compatibility reports. The priority levels are: [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md) For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md) This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. And Priority Equals Priority 1 - Business Critical Or Priority Equals Priority 2 - Important Application, device, or website functions as expected on a 32-bit operating system. Application, device, or website functions as expected on a 64-bit operating system. Application, device, or website with issues that are minor or have known solutions on a 32-bit operating system. Severity 3 issues are considered minor issues. Application, device, or website with issues that are minor or have known solutions on a 64-bit operating system. Application, device, or website with major issues, such as data loss or severely impaired functionality, on 32-bit operating systems. Severity 1 and Severity 2 issues are considered major issues. Application, device, or website with major issues, such as data loss or severely impaired functionality, on 64-bit operating systems. Application, device, or website that does not have any application assessment data for 32-bit operating systems. The item does not match any information in the database, or no assessments have been submitted. Application, device, or website that does not have any application assessment data for 64-bit operating systems. And Send and Receive Status Equals Do not send to Microsoft And My Assessment Equals Works Or My Assessment Equals Works with minor issues or has solutions And Deployment Status Equals Mitigating Or Deployment Status Equals Ready to Deploy [Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md) To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md) To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. [Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md) An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following: [Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md) You can use Application Compatibility Manager (ACM) to create an inventory-collector package. You can then deploy the inventory-collector package to other computers to gather inventory data. The package uploads inventory data to the Application Compatibility Toolkit (ACT) database. [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md) You can use the following methods to deploy an inventory-collector package to the destination computers: [Deciding Which Applications to Test](deciding-which-applications-to-test.md) Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md) The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects. [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md) In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. [Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md) When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. [Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md) Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. [Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md) When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. The wizard helps you configure your ACT database, your shared folder for ACT log files, and your ACT Log Processing Service account. [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md) The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md) The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md) This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. [Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md) This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. [Managing Your Data-Collection Packages](managing-your-data-collection-packages.md) This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. Data-collection packages include inventory-collector packages and runtime-analysis packages. The following procedures apply to both package types. [Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md) This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). [Fixing Compatibility Issues](fixing-compatibility-issues.md) This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. [<OperatingSystem> - Application Report](act-operatingsystem-application-report.md) This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. [<OperatingSystem> - Computer Report](act-operatingsystem-computer-report.md) The <OperatingSystem> - Computer Report screen shows the following information for each computer in your organization: [<OperatingSystem> - Device Report](act-operatingsystem-device-report.md) The <OperatingSystem> - Device Report screen shows the following information for each device installed in your organization: [Internet Explorer - Web Site Report](internet-explorer-web-site-report.md) The Internet Explorer - Web Site Report screen shows the following information for each of the websites visited in your organization: [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md) You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. [Customizing Your Report Views](customizing-your-report-views.md) You can customize how you view your report data in Application Compatibility Manager (ACM). [What's New in ACT 6.1](whats-new-in-act-60.md) Two major updates have been released since ACT 6.1. They are ACT 6.1 Update and ACT 6.1 Update 2. The following table lists changes made in the Application Compatibility Toolkit (ACT), which is included in the Windows Assessment and Deployment Kit (ADK) download. [Software Requirements for ACT](software-requirements-for-act.md) The Application Compatibility Toolkit (ACT) has the following software requirements. [Software Requirements for RAP](software-requirements-for-rap.md) The runtime-analysis package (RAP) has the following software requirements. Bug fixes: this version of ACT addresses the following bugs: Capability to create custom compatibility fixes for Windows versions other than the currently running version. Fixed issue where Inventory-Collector Package crashes when running on some Windows 7 x86 systems. Fixed issue where not specifying a tag for Inventory-Collector Package would cause an error in the log processing service. The result of this bug was that data collected by the Package would not be processed. Fixed issue where Standard User Analyzer (SUA) returns an error when trying to apply mitigations to an app on Windows 7. Fixed issue where ACT is unable to create custom compatibility fixes for 32-bit systems correctly. Windows 10 Enterprise The PC must be running Windows 10 Enterprise. UEFI firmware version 2.3.1 or higher and Secure Boot To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement. Virtualization extensions The following virtualization extensions are required to support virtualization-based security: Firmware lock The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. You should also disable boot methods other than from the hard drive. x64 architecture The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC. A VT-d or AMD-Vi IOMMU (Input/output memory management unit) In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹ Secure firmware update process To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement. Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.
+ 
+ *Figure 1. Enable apps for offline use*
+
+4. Add Surface app to your Windows Store for Business account by following this procedure:
+ * Click the **Shop** menu.
+ * In the search box, type **Surface app**, and then click the search icon.
+ * After the Surface app is presented in the search results, click the app’s icon.
+ * You are presented with a choice (select **Online** or **Offline**), as shown in Figure 2.
+
+ 
+
+ *Figure 2. Select the Offline licensing mode and add the app to your inventory*
+
+ * Click **Offline** to select the Offline licensing mode.
+ * Click **Get the app** to add the app to your Windows Store for Business inventory. As shown in Figure 3, you’ll see a dialog box that prompts you to acknowledge that offline apps can be deployed using a management tool or downloaded from the company’s inventory page in their private store.
+
+ 
+
+ *Figure 3. Offline-licensed app acknowledgement*
+ * Click **OK**.
+
+##Download Surface app from a Windows Store for Business account
+After you add an app to the Windows Store for Business account in Offline mode, you can download and add the app as an AppxBundle to a deployment share.
+1. Log on to the Windows Store for Business account at https://businessstore.microsoft.com.
+2. Click the **Manage->Inventory** menu. A list of all apps in your company’s private store is displayed, including the Surface app you added in the [Add Surface app to a Windows Store for Business account](#add-surface-app-to-a-windows-store-for-business-account) section of this article.
+3. Under **Actions**, click the ellipsis (**…**), and then click **Download for offline use** for the Surface app.
+4. Select the desired **Platform** and **Architecture** options from the available selections for the selected app, as shown in Figure 4.
+
+ 
+
+ *Figure 4. Download the AppxBundle package for an app*
+5. Click **Download**. The AppxBundle package will be downloaded. Make sure you note the path of the downloaded file because you’ll need that later in this article.
+6. Click either the **Encoded license** or **Unencoded license** option. Use the Encoded license option with management tools like System Center Configuration Manager or when you use Windows Imaging and Configuration Designer (Windows ICD). Select the Unencoded license option when you use Deployment Image Servicing and Management (DISM) or deployment solutions based on imaging, including the Microsoft Deployment Toolkit (MDT).
+7. Click **Generate** to generate and download the license for the app. Make sure you note the path of the license file because you’ll need that later in this article.
+
+>**Note:** When you download an app for offline use, such as the Surface app, you may notice a section at the bottom of the page labeled **Required frameworks**. Your target computers must have the frameworks installed for the app to run, so you may need to repeat the download process for each of the required frameworks for your architecture (either x86 or x64) and also include them as part of your Windows deployment discussed later in this article.
+
+Figure 5 shows the required frameworks for the Surface app.
+
+
+
+*Figure 5. Required frameworks for the Surface app*
+
+>**Note:** The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
+
+To download the required frameworks for the Surface app, follow these steps:
+1. Click the **Download** button under **Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
+2. Click the **Download** button under **Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
+
+>**Note:** Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks.
+
+##Install Surface app on your computer with PowerShell
+The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
+1. Using the procedure described in the [How to download Surface app from a Windows Store for Business account](#how-to-download-surface-app-from-a-windows-store-for-business-account) section of this article, download the Surface app AppxBundle and license file.
+2. Begin an elevated PowerShell session.
+>**Note:** If you don’t run PowerShell as an Administrator, the session won’t have the required permissions to install the app.
+3. In the elevated PowerShell session, copy and paste the following command:
+ ```
+ Add-AppxProvisionedPackage –Online –PackagePath
+By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
+
+You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
+
+* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices.
+* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766).
+* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP.
+* Configure your boot order such that PXE Boot is the first option.
+
+When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server.
+
+Perform the reference image deployment and capture using the following steps:
+
+1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15.
+
+ 
+
+ *Figure 15. Start network boot by pressing the F12 key*
+
+2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process.
+3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share.
+4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules.
+5. The Windows Deployment Wizard displays a series of steps, as follows:
+ * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
+ * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
+ * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
+ * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
+ * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
+ * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
+
+ 
+
+ *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
+
+ * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
+
+6. Your reference task sequence will run with the specified options.
+
+As the task sequence processes the deployment, it will automatically perform the following tasks:
+* Install the Windows 10 image from the installation files you supplied
+* Reboot into Windows 10
+* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date
+* Run Sysprep and prepare the Windows 10 environment for deployment
+* Reboot into WinPE
+* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
+
+>**Note:** The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment.
+
+When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
+
+## Deploy Windows 10 to Surface devices
+
+With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment.
+
+### Import reference image
+
+After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10.
+
+To import the reference image for deployment, use the following steps:
+
+1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard.
+2. Import the custom image with the Import Operating System Wizard by using the following steps:
+ * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
+ * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**.
+ * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**.
+ * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
+ * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+ * **Progress** – While the image is imported, a progress bar is displayed on this page.
+ * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
+3. Expand the folder in which you imported the image to verify that the import completed successfully.
+
+>**Note:** You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
+
+Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
+
+### Import Surface drivers
+
+Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
+
+Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
+
+To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
+
+1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files.
+2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
+3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17:
+ * WinPE x86
+ * WinPE x64
+ * Windows 10 x64
+ * Microsoft Corporation
+ * Surface Pro 4
+
+ 
+
+ *Figure 17. The recommended folder structure for drivers*
+
+4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18.
+
+ 
+
+ *Figure 18. The Progress page during drivers import*
+
+5. The Import Driver Wizard displays a series of steps, as follows:
+ * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
+ * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+ * **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+ * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
+6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
+
+ 
+
+ *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share*
+
+### Import applications
+
+You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
+
+#### Import Microsoft Office 365 Installer
+
+The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424).
+
+Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organization’s needs and use the steps provided by that page to download the Office installation files for use with MDT.
+
+After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps:
+
+1. Right-click the existing **Configuration.xml** file, and then click **Edit**.
+2. This action opens the file in Notepad. Replace the existing text with the following:
+ ```
+
+
+
+
+
@@ -82,6 +90,16 @@ For more information on planning for, deploying, and managing Surface devices in
+
+
+
+
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index 9428200756..4d2733a4ad 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -2,6 +2,7 @@
title: Manage Surface Dock firmware updates (Surface)
description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
+localizationpriority: high
keywords: firmware, update, install, drivers
ms.prod: w10
ms.mktglfcycl: manage
@@ -43,7 +44,7 @@ The Surface Dock firmware update process shown in Figure 1 follows these steps:
8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
-
+
*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index 3bc069e706..4c308a017a 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -3,6 +3,7 @@ title: Manage Surface driver and firmware updates (Surface)
description: This article describes the available options to manage firmware and driver updates for Surface devices.
ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
+localizationpriority: high
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 44428903c1..7071bb2da7 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -2,6 +2,7 @@
title: Manage Surface UEFI settings (Surface)
description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings.
keywords: firmware, security, features, configure, hardware
+localizationpriority: high
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -39,9 +40,9 @@ You will also find detailed information about the firmware of your Surface devic
- Touch Firmware
-*Figure 1. System information and firmware version information*
+
-
+*Figure 1. System information and firmware version information*
You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device.
@@ -59,21 +60,21 @@ On the **Security** page of Surface UEFI settings, you can set a password to pro
The password must be at least 6 characters and is case sensitive.
-*Figure 2. Add a password to protect Surface UEFI settings*
+
-
+*Figure 2. Add a password to protect Surface UEFI settings*
On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
-*Figure 3. Configure Secure Boot*
+
-
+*Figure 3. Configure Secure Boot*
You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
-*Figure 4. Configure Surface UEFI security settings*
+
-
+*Figure 4. Configure Surface UEFI security settings*
##Devices
@@ -95,9 +96,9 @@ On the **Devices** page you can enable or disable specific devices and component
Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5.
-*Figure 5. Enable and disable specific devices*
+
-
+*Figure 5. Enable and disable specific devices*
##Boot configuration
@@ -115,9 +116,9 @@ You can boot from a specific device immediately, or you can swipe left on that d
For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6.
-*Figure 6. Configure the boot order for your Surface device*
+
-
+*Figure 6. Configure the boot order for your Surface device*
You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
@@ -125,14 +126,14 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE
The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7.
-*Figure 7. Regulatory information is displayed on the About page*
+
-
+*Figure 7. Regulatory information displayed on the About page*
##Exit
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8.
-*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
+
-
+*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 6f76da2a15..b379604c7c 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -2,6 +2,7 @@
title: Microsoft Surface Data Eraser (Surface)
description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10
+localizationpriority: high
keywords: tool, USB, data, erase
ms.prod: w10
ms.mktglfcycl: manage
@@ -65,24 +66,24 @@ After the creation tool is installed, follow these steps to create a Microsoft S
3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
- 
+ 
- Figure 1. Start the Microsoft Surface Data Eraser tool
+ *Figure 1. Start the Microsoft Surface Data Eraser tool*
4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
>**Note:** If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
- 
+ 
- Figure 2. USB thumb drive selection
+ *Figure 2. USB thumb drive selection*
5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
- 
+ 
- Figure 3. Complete the Microsoft Surface Data Eraser USB creation process
+ *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
7. Click **X** to close Microsoft Surface Data Eraser.
@@ -105,9 +106,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
- 
+ 
- Figure 4. Booting the Microsoft Surface Data Eraser USB stick
+ *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
4. Read the software license terms, and then close the notepad file.
@@ -123,9 +124,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
- 
+ 
- Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
+ *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 8b9b17335c..c7b442925d 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -2,6 +2,7 @@
title: Microsoft Surface Deployment Accelerator (Surface)
description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
+localizationpriority: high
keywords: deploy, install, tool
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,17 +14,17 @@ author: miladCA
# Microsoft Surface Deployment Accelerator
-Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
+Microsoft Surface Deployment Accelerator (SDA) provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
-Microsoft Surface Deployment Accelerator includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use Microsoft Surface Deployment Accelerator to create and capture a Windows reference image and then deploy it with the latest Windows Updates.
+SDA includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use SDA to create and capture a Windows reference image and then deploy it with the latest Windows updates.
-Microsoft Surface Deployment Accelerator is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
+SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=691693).
**Download Microsoft Surface Deployment Accelerator**
-You can download the installation files for Microsoft Surface Deployment Accelerator from the Microsoft Download Center. To download the installation files:
+You can download the installation files for SDA from the Microsoft Download Center. To download the installation files:
1. Go to the [Surface Tools for IT](http://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center.
@@ -32,9 +33,9 @@ You can download the installation files for Microsoft Surface Deployment Acceler
## Microsoft Surface Deployment Accelerator prerequisites
-Before you install Microsoft Surface Deployment Accelerator, your environment must meet the following prerequisites:
+Before you install SDA, your environment must meet the following prerequisites:
-- Microsoft Surface Deployment Accelerator must be installed on Windows Server 2012 R2 or later
+- SDA must be installed on Windows Server 2012 R2 or later
- PowerShell Script Execution Policy must be set to **Unrestricted**
@@ -44,45 +45,74 @@ Before you install Microsoft Surface Deployment Accelerator, your environment mu
- To support network boot, the Windows Server 2012 R2 environment must have Windows Deployment Services installed and configured to respond to PXE requests
-- Access to Windows source files or installation media is required when you prepare a deployment with Microsoft Surface Deployment Accelerator
+- Access to Windows source files or installation media is required when you prepare a deployment with SDA
- At least 6 GB of free space for each version of Windows you intend to deploy
## How Microsoft Surface Deployment Accelerator works
-As you progress through the Microsoft Surface Deployment Accelerator wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
+As you progress through the SDA wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
-
+
-Figure 1: Select desired apps and drivers
+*Figure 1. Select desired apps and drivers*
-When the Microsoft Surface Deployment Accelerator completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the Microsoft Surface Deployment Accelerator wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
+When the SDA completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the SDA wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](http://go.microsoft.com/fwlink/p/?linkid=691700), or to [pause the automated installation routine](http://go.microsoft.com/fwlink/p/?linkid=691701). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
->**Note:** With Microsoft Surface Deployment Accelerator v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
+>**Note:** With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
## Use Microsoft Surface Deployment Accelerator without an Internet connection
-For environments where the Microsoft Surface Deployment Accelerator server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
+For environments where the SDA server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
-
+
-Figure 2. Specify a local source for Surface driver and app files
+*Figure 2. Specify a local source for Surface driver and app files*
You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
>**Note:** Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
+>**Note:** Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box.
+
+## Changes and updates
+
+SDA is periodically updated by Microsoft. For instructions on how these features are used, see [Step-by-Step: Microsoft Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator).
+
+>**Note:** To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
+### Version 1.96.0405
+This version of SDA adds support for the following:
+* Microsoft Deployment Toolkit (MDT) 2013 Update 2
+* Office 365 Click-to-Run
+* Surface 3 and Surface 3 LTE
+* Reduced Windows Assessment and Deployment Kit (Windows ADK) footprint, only the following Windows ADK components are installed:
+ * Deployment tools
+ * Windows Preinstallation Environment (WinPE)
+ * User State Migration Tool (USMT)
-
+### Version 1.90.0258
+This version of SDA adds support for the following:
+* Surface Book
+* Surface Pro 4
+* Windows 10
-
+### Version 1.90.0000
+This version of SDA adds support for the following:
+* Local driver and app files can be used to create a deployment share without access to the Internet
+
+### Version 1.70.0000
+This version is the original release of SDA. This version of SDA includes support for:
+* MDT 2013 Update 1
+* Windows ADK
+* Surface Pro 3
+* Windows 8.1
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 07c32b693b..c2113bd72b 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -2,6 +2,7 @@
title: Step by step Surface Deployment Accelerator (Surface)
description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
+localizationpriority: high
keywords: deploy, configure
ms.prod: w10
ms.mktglfcycl: deploy
@@ -26,17 +27,17 @@ For information about prerequisites and instructions for how to download and ins
3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1.
- 
+ 
- Figure 1. SDA setup
+ *Figure 1. SDA setup*
4. Click **Finish** to complete the installation of SDA.
-The tool installs in the Surface Deployment Accelerator program group, as shown in Figure 2.
+The tool installs in the SDA program group, as shown in Figure 2.
-
+
-Figure 2. The Surface Deployment Accelerator program group and icon
+*Figure 2. The SDA program group and icon*
>**Note:** At this point the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
@@ -45,7 +46,7 @@ Figure 2. The Surface Deployment Accelerator program group and icon
## Create a deployment share
-The following steps show how you create a deployment share for Windows 10 that supports Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, and the Surface Asset Tag Tool. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
+The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
>**Note:** SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
@@ -55,7 +56,14 @@ The following steps show how you create a deployment share for Windows 10 that
2. On the **Welcome** page, click **Next** to continue.
-3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 1. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+
+ >**Note:** As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
+ * Deployment tools
+ * User State Migration Tool (USMT)
+ * Windows Preinstallation Environment (WinPE)
+
+ >**Note:** As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
@@ -75,15 +83,17 @@ The following steps show how you create a deployment share for Windows 10 that
- **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
- 
+ 
- Figure 3. Specify Windows 10 deployment share options
+ *Figure 3. Specify Windows 10 deployment share options*
-6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface Pro 3 and cannot be selected unless Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
+6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
- 
+ 
- Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers
+ *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
+
+ >**Note:** You cannot select both Surface 3 and Surface 3 LTE models at the same time.
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
@@ -105,9 +115,9 @@ The following steps show how you create a deployment share for Windows 10 that
- Creation of rules and task sequences for Windows deployment
- 
+ 
- Figure 5. The **Installation Progress** window
+ *Figure 5. The Installation Progress window*
8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
@@ -115,13 +125,15 @@ The following steps show how you create a deployment share for Windows 10 that
If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6.
->**Note:** All of the downloaded driver and applications files must be located in the same folder. The driver and app files do not need to be extracted from the downloaded .zip files.
+>**Note:** All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step.
-
+>**Note:** The driver and app files do not need to be extracted from the downloaded .zip files.
-
+>**Note:** Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files.
-Figure 6. Specify the Surface driver and app files from a local path
+
+
+*Figure 6. Specify the Surface driver and app files from a local path*
>**Note:** The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
@@ -159,9 +171,9 @@ Before you can create bootable media files within the MDT Deployment Workbench o
9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window.
- 
+ 
- Figure 7. Use DiskPart to prepare a USB drive for boot
+ *Figure 7. Use DiskPart to prepare a USB drive for boot*
>**Note:** You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
@@ -177,15 +189,15 @@ After you have prepared the USB drive for boot, the next step is to generate off
4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard.
- 
+ 
- Figure 8. The Media folder of the SDA deployment share
+ *Figure 8. The Media folder of the SDA deployment share*
5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**.
- 
+ 
- Figure 9. Specify a location and selection profile for your offline media
+ *Figure 9. Specify a location and selection profile for your offline media*
6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media.
@@ -195,9 +207,9 @@ After you have prepared the USB drive for boot, the next step is to generate off
9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10.
- 
+ 
- Figure 10. The Rules of the SDA deployment share
+ *Figure 10. Rules of the SDA deployment share*
10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text.
@@ -229,15 +241,17 @@ After you have prepared the USB drive for boot, the next step is to generate off
UserPassword=
```
- 
+ 
- Figure 11. The Bootstrap.ini file of MEDIA001
+ *Figure 11. The Bootstrap.ini file of MEDIA001*
20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window.
21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share.
- Figure 12. Select **Update Media Content**
+ 
+
+ *Figure 12. Select the Update Media Content option*
22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
@@ -252,11 +266,11 @@ Your USB drive is now configured as bootable offline media that contains all of
## SDA task sequences
-The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 1 Lite Touch components](http://technet.microsoft.com/en-us/itpro/windows/deploy/mdt-2013-lite-touch-components).
+The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components).
-
+
-Figure 13. Task sequences in the Deployment Workbench
+*Figure 13. Task sequences in the Deployment Workbench*
### Deploy Microsoft Surface
@@ -286,7 +300,7 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a
Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
->**Note:** Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information see [Deploy a Windows 10 image using MDT 2013 Update 1](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
+>**Note:** Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
@@ -323,9 +337,9 @@ To instruct your Surface device to boot from the network, start with the device
4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14.
- 
+ 
- Figure 14. The prompt for credentials to the deployment share
+ *Figure 14. The prompt for credentials to the deployment share*
5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
@@ -343,15 +357,15 @@ To run the Deploy Microsoft Surface task sequence:
1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.**
- 
+ 
- Figure 15. Select the **1 – Deploy Microsoft Surface** task sequence
+ *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence*
2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
- 
+ 
- Figure 16. Enter the computer name and domain information
+ *Figure 16. Enter the computer name and domain information*
3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario.
@@ -363,9 +377,9 @@ To run the Deploy Microsoft Surface task sequence:
7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17).
- 
+ 
- Figure 17. The **Installation Progress** window
+ *Figure 17. The Installation Progress window*
8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
index bcea29785f..78142a380b 100644
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -3,6 +3,7 @@ title: Microsoft Surface Diagnostic Toolkit (Surface)
description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
keywords: hardware, device, tool, test, component
+localizationpriority: high
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
@@ -33,7 +34,7 @@ The [Microsoft Surface Diagnostic Toolkit](http://go.microsoft.com/fwlink/p/?Lin
- Surface Pro
->**Note:** Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the .zip archive file as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
+>**Note:** Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the archive file (.zip) as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The test sequence includes several tests that require you to perform actions or observe the outcome of the test, and then click the applicable **Pass** or **Fail** button. Some tests require connectivity to external devices, like an external display. Other tests use the built in Windows troubleshooters. At the end of testing, a visual report of the test results is displayed and you are given the option to save a log file or copy the results to the clipboard.
@@ -49,17 +50,73 @@ To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you sh
- Room to move the Surface device around
-- External speakers or headphones
+- External speakers or headphones with a 3.5mm stereo plug
->**Note:** The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not test or resolve issues with the operating system or software.
+- A power adapter for your Surface device
+
+>**Note:** The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not resolve issues with the operating system or software.
+
+## Configure test options
+
+Before you select the tests you want to run, you can click the Tools  button in the upper right corner of the window (as shown in Figure 1) to access the Options section of the Microsoft Surface Diagnostic Toolkit. In the Options section, you can configure the depth of testing and logs, as well as the save location for log files. You can also create and use additional language files for the dialog of each test.
+
+
+
+*Figure 1. The Tools button highlighted in upper right corner of window*
+
+>**Note:** Any options you want to select must be specified before you run the tests. You cannot change the test options after the testing sequence has started.
+
+####Test depth
+You can quickly select among three modes for testing and diagnostics by using the **Test Depth** page. The **Test Depth** page displays a slider with three possible positions, as shown in Figure 2. These positions determine which tests are run and what information is recorded without requiring you to select specific tests with the **Run Specific Tests** button. The three modes allow you to focus the tests of the Microsoft Surface Diagnostic Toolkit on hardware, software, or both hardware and software.
+
+
+
+*Figure 2. The Test Depth slider to select the depth of data collection*
+
+When you select a mode by using the Test Depth slider, a configuration file (.ini) with the same name as the Microsoft Surface Diagnostic Toolkit executable (.exe) file is created in the same folder. For example, if the Microsoft Surface Diagnostic Toolkit executable file is SurfaceDiagnosticToolkit.exe, the configuration file will be SurfaceDiagnosticToolkit.ini. When the executable file is run, the options will be automatically set by the configuration file. To run the Microsoft Surface Diagnostic Toolkit in a specific mode on multiple devices, ensure that the .ini file remains in the same folder with the .exe file used on each device.
+
+When you run the Microsoft Surface Diagnostic Toolkit, you can still use the **Run Specific Tests** button to enable or disable specific tests. The tests selected on the **Please Select Tests to Run** page take priority over the tests enabled or disabled by the mode specified on the **Test Depth** page. When a mode is selected the tests that are applicable to that mode will be enabled by default and the tests that are not required for that mode will be disabled.
+
+Each mode has a specific focus and records a different level of information in the log files, as follows:
+
+* **Hardware and Software Focus.** This is the default mode for the Microsoft Surface Diagnostic Toolkit. In this mode all tests that are applicable to the device are run. This mode logs the most information and takes the most time.
+* **Software Experience Focus.** This mode collects information about the device and records it in the log file. No hardware tests are performed in this mode. The following tests are run in this mode:
+ * Windows Update Check Test
+ * Device Information Test
+ * System Assessment Test
+ * Crash Dump Collection Test
+ * Modern Standby Test
+* **Hardware Validation Focus.** This mode tests the hardware of the device but does not collect system log files or device information. All diagnostic tests relevant to the device hardware are run in this mode. The exact tests that are run will vary from device to device depending on the hardware configuration. This mode logs the least information and requires the least amount of time.
+
+
+####Save location
+Use the **Browse** button on the **Save Location** page to select a default location for the Microsoft Surface Diagnostic Toolkit log files to be saved. When the tests complete the user will still be prompted to save a log file and a log file will not be saved automatically. The user must still click the **Save to File** button to save the log files. As with the Test Depth mode, this save location is stored in the Microsoft Surface Diagnostic Toolkit configuration (.ini) file and if the file does not exist, configuring this option will generate the file.
+
+####Additional language
+Refer to the [Localization](#localization) section of this article for information about how to customize the dialog displayed during each test. On the **Additional Language** page, you can generate a localization file that you can use to customize the dialog during each test. You can also specify a specific localization file to be used with the Microsoft Surface Diagnostic Toolkit with the **Browse** button.
+
+####Feedback
+You can use the form on the **Feedback** page to inform the product team of any problems that you encounter with the Microsoft Surface Diagnostic Toolkit or to provide any suggestions for how the Microsoft Surface Diagnostic Toolkit could be improved.
-
## The tests
-
The Microsoft Surface Diagnostic Toolkit runs several individual tests on a Surface device. Not all tests are applicable to every device. For example, the Home button test is not applicable to Surface Pro 4 where there is no Home button. You can specify which tests to run, or you can choose to run all tests. For tests that require external devices (such as testing output to an external display) but you do not have the required external device at the time of the test, you are given the option to skip the test. If a test fails, you are prompted to continue or stop testing at that time.
+When the testing completes, the **Test Results** page is displayed (as shown in Figure 3) and shows the status of each test: passed, failed, or inconclusive (skipped). You can choose to run the tests again; to save a log file, including any additional log files gathered by tests; or to copy the log file text to the clipboard.
+
+
+
+*Figure 3. View of the results of the tests*
+
+When the tests have completed, you can also add additional notes to the log files by clicking **Add additional feedback to results ->** on the **Test Results** page. Use the **Type any additional feedback about these tests** field on the **Test Results** page to add your notes, as shown in Figure 4.
+
+
+
+*Figure 4. Add notes to the log file*
+
+Notes that you type on this page are displayed in the log files after the results of the selected tests and before the **Files** section. The section header in the log files for these notes is named **User Feedback**.
+
#### Windows Update
This test checks for any outstanding Windows updates and will prompt you to install those updates before you proceed to other tests. It is important to keep a Surface device up to date with the latest Windows updates, including drivers and firmware for the Surface device. The success of some of the tests that are performed later in the task sequence depend on these updated drivers and firmware. You will be prompted to restart the device if required by Windows Update. If you must restart the device, you will need to start the Microsoft Surface Diagnostic Toolkit again.
@@ -213,7 +270,7 @@ Insert a micro SD or SD card when you are prompted. When the SD card is detected
#### Microphone test
-This test displays the **Recording** tab of the Sound item in Control Panel. The test prompts you to monitor the meter that is displayed next to the **Microphone Array** recording device. A recommended test is to speak and watch for your speech to be detected in the meter. If the meter moves when you speak, the microphone is working correctly. For Surface Book you will be prompted to tap locations near the microphones. This tapping should produce noticeable spikes in the audio meter.
+This test displays a meter that shows the microphone sound level and records audio for a short period of time. Say a few words or make noise and make note that the meter displays the sound level accordingly. A countdown timer is displayed to indicate how much time is remaining for you to record sound. When the countdown timer expires, the recorded audio is played back. Verify that the words or noises sound clear and accurate, and then mark the test as passed or failed depending on the results.
#### Video out test
@@ -231,11 +288,13 @@ After you receive a prompt to put the device in pairing mode, the test opens the
Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus.
+>**Note:** You can also use the **Snapshot to Logs** option to save a snapshot of the video output to the log files.
+
#### Speaker test
>**Note:** Headphones or external speakers are required to test the headphone jack in this test.
-This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected to the headphone jack. Mark each channel as a pass or fail as you hear the audio play.
+This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected through the headphone jack. Plug in your headphones or speakers to the 3.5mm stereo jack when prompted. The test will automatically detect that a sound playback device has been connected. Mark each channel as a pass or fail as you hear the audio play through the speakers or headphones.
#### Network test
@@ -267,15 +326,21 @@ The compass detects which direction the Surface device is facing relative to nor
The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes.
+>**Note:** You can also block the ambient light from the sensor by holding your hand slightly in front of the light sensor, which is located directly next to the camera. Use the provided meter to determine if you are blocking light from the sensor.
+
#### Device orientation test
>**Note:** Before you run this test, disable rotation lock from the Action Center if enabled.
-The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. The test automatically passes when the screen orientation switches.
+The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. If you have a Surface Type Cover or the Surface Book keyboard connected, you will be prompted to disconnect the Surface from the keyboard to allow screen rotation. The test automatically passes when the screen orientation switches.
#### Brightness test
-This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to disconnect the power adapter. The screen should automatically dim when power is disconnected.
+This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to test for brightness reaction. To test the reaction of brightness when running on battery, disconnect the power adapter. The screen should automatically dim when power is disconnected.
+
+#### Surface Dock test
+The Microsoft Surface Diagnostic Toolkit uses this test only if a Surface Dock is connected to the device. If a Surface Dock is detected, this test verifies that the Surface Dock driver firmware is updated. For more detailed analysis of Surface Dock firmware status and how to manually initiate the firmware update process, see the [Microsoft Surface Dock Updater](https://technet.microsoft.com/en-us/itpro/surface/surface-dock-updater) article.
+
#### System assessment
@@ -291,6 +356,19 @@ Performance and diagnostic trace logs are recorded from Performance Monitor for
If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](http://go.microsoft.com/fwlink/p/?LinkId=746488) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](http://go.microsoft.com/fwlink/p/?LinkId=746489).
+#### Connected standby text
+
+>**Note:** This test is only available on Surface devices running Windows 8 or Windows 8.1.
+
+If connected standby is enabled on the Surface device, this test passes automatically. If connected standby is not enabled, a failure is recorded for this test. Find out more about Connected Standby and Modern Standby at [Modern Standby](https://msdn.microsoft.com/library/windows/hardware/mt282515) on MSDN.
+
+#### Modern standby test
+
+>**Note:** This test is only available on Surface devices running Windows 10.
+
+This test records log files of the power configuration for the Surface device using the **powercfg.exe /a** command. The test completes automatically and a failure is only recorded if the command does not run.
+
+
## Command line
You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments:
@@ -430,25 +508,26 @@ Surface_Diagnostic_Toolkit_1.0.60.0.exe “logpath=C:\Folder with spaces”
## Localization
-By default, the Microsoft Surface Diagnostic Toolkit is available in English only. If you want to localize the text of the Microsoft Surface Diagnostic Toolkit prompts into another language, you can do so by creating a custom localization file. If the localization file exists, the Microsoft Surface Diagnostic Toolkit will override the default English text and use the text contained in the file instead. To create a localization file, follow these steps:
+By default, the Microsoft Surface Diagnostic Toolkit is available in English only. If you want to localize the text of the Microsoft Surface Diagnostic Toolkit prompts into another language, you can do so by creating a custom localization file. To create a new localization file (.locale), follow these steps:
-1. Open Notepad.
+1. Click the Tools  button.
+2. Click the **Additional Language** page.
+3. Click the **Generate** button and the new .locale file is created.
-2. Type the following line at the beginning of the file:
+The locale file that is created when you use these steps will have the same name as your executable file, even if it has been changed from the default. For example, if the Microsoft Surface Diagnostic Toolkit executable file is SurfaceDiagnosticToolkit.exe, the localization file would be SurfaceDiagnosticToolkit.locale. The locale file will be created in the same folder as the executable file. If a localization file with this name already exists, you will be prompted to overwrite the existing file. The file that is created when you click the **Generate** button is always generated in the default language, English.
- ``` syntax
-
The certificate generated by this script is not recommended for production environments.
+
+ ```
+if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
+if (Test-Path "Demo Certificate\TempOwner.pfx") { Remove-Item "Demo Certificate\TempOwner.pfx" }
+
+# Generate the Ownership private signing key with password 12345678
+$pw = ConvertTo-SecureString "12345678" -AsPlainText -Force
+
+$TestUefiV2 = New-SelfSignedCertificate `
+ -Subject "CN=Surface Demo Kit, O=Contoso Corporation, C=US" `
+ -Type SSLServerAuthentication `
+ -HashAlgorithm sha256 `
+ -KeyAlgorithm RSA `
+ -KeyLength 2048 `
+ -KeyUsage KeyEncipherment `
+ -KeyUsageProperty All `
+ -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
+ -NotAfter (Get-Date).AddYears(25) `
+ -TextExtension @("2.5.29.37={text}1.2.840.113549.1.1.1") `
+ -KeyExportPolicy Exportable
+
+$TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\TempOwner.pfx"
+ ```
+
+For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required.
+
+>**Note**: For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
new file mode 100644
index 0000000000..5e31091376
--- /dev/null
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -0,0 +1,148 @@
+---
+title: Unenroll Surface devices from SEMM (Surface)
+description: Learn how to unenroll a device from SEMM by using a Surface UEFI reset package or the Recovery Request option.
+keywords: surface enterprise management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Unenroll Surface devices from SEMM
+
+When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM), a certificate is stored in the firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as reset or recovery. There are two methods you can use to unenroll a device from SEMM—a Surface UEFI reset package and a Recovery Request.
+
+>**Warning:** To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
+
+For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+## Unenroll a Surface device from SEMM with a Surface UEFI reset package
+
+The Surface UEFI reset package is the primary method you use to unenroll a Surface device from SEMM. Like a Surface UEFI configuration package, the reset package is a Windows Installer (.msi) file that configures SEMM on the device. Unlike the configuration package, the reset package will reset the Surface UEFI configuration on a Surface device to its default settings, remove the SEMM certificate, and unenroll the device from SEMM.
+
+Reset packages are created specifically for an individual Surface device. To begin the process of creating a reset package, you will need the serial number of the device you want to unenroll, as well as the SEMM certificate used to enroll the device. You can find the serial number of your Surface device on the **PC information** page of Surface UEFI, as shown in Figure 1. This page is displayed even if Surface UEFI is password protected and the incorrect password is entered.
+
+
+
+*Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC information page*
+
+>**Note:** To boot to Surface UEFI, press **Volume Up** and **Power** simultaneously while the device is off. Hold **Volume Up** until the Surface logo is displayed and the device begins to boot.
+
+To create a Surface UEFI reset package, follow these steps:
+
+1. Open Microsoft Surface UEFI Configurator from the Start menu.
+2. Click **Start**.
+3. Click **Reset Package**, as shown in Figure 2.
+
+ 
+
+ *Figure 2. Click Reset Package to create a package to unenroll a Surface device from SEMM*
+
+4. Click **Certificate Protection** to add your SEMM certificate file with private key (.pfx), as shown in Figure 3. Browse to the location of your certificate file, select the file, and then click **OK**.
+
+ 
+
+ *Figure 3. Add the SEMM certificate to a Surface UEFI reset package*
+
+5. Click **Next**.
+6. Type the serial number of the device you want to unenroll from SEMM (as shown in Figure 4), and then click **Build** to generate the Surface UEFI reset package.
+
+ 
+
+ *Figure 4. Use the serial number of your Surface device to create a Surface UEFI reset package*
+
+7. In the **Save As** dialog box, specify a name for the Surface UEFI reset package, browse to the location where you would like to save the file, and then click **Save**.
+8. When the package generation has completed, the **Successful** page is displayed. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
+
+Run the Surface UEFI reset package Windows Installer (.msi) file on the Surface device to unenroll the device from SEMM. The reset package will require a reboot to perform the unenroll operation. After the device has been unenrolled, you can verify the successful removal by ensuring that the **Microsoft Surface Configuration Package** item in **Programs and Features** (shown in Figure 5) is no longer present.
+
+
+
+*Figure 5. The presence of the Microsoft Surface Configuration Package item in Programs and Features indicates that the device is enrolled in SEMM*
+
+## Unenroll a Surface device from SEMM with a Recovery Request
+
+In some scenarios, a Surface UEFI reset package may not be a viable option to unenroll a Surface device from SEMM (for example, where Windows has become unusable). In these scenarios you can unenroll the device by using a Recovery Request generated from within Surface UEFI. The Recovery Request process can be initiated even on devices where you do not have the Surface UEFI password.
+
+The Recovery Request process is initiated from Surface UEFI on the Surface device, approved with Microsoft Surface UEFI Configurator on another computer, and then completed in Surface UEFI. Like the reset package, approving a Recovery Request with Microsoft Surface UEFI Configurator requires access to the SEMM certificate that was used to enroll the Surface device.
+
+To initiate a Recovery Request, follow these steps:
+
+1. Boot the Surface device that is to be unenrolled from SEMM to Surface UEFI.
+2. Type the Surface UEFI password if you are prompted to do so.
+3. Click the **Enterprise management** page, as shown in Figure 6.
+
+ 
+
+ *Figure 6. The Enterprise management page is displayed in Surface UEFI on devices enrolled in SEMM*
+
+4. Click or press **Get Started**.
+5. Click or press **Next** to begin the Recovery Request process.
+ >**Note:** A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
+6. Select **SEMM Certificate** from the list of certificates displayed on the **Choose a SEMM reset key** page (shown in Figure 7), and then click or press **Next**.
+
+ 
+
+ *Figure 7. Choose SEMM Certificate for your Recovery Request (Reset Request)*
+
+7. On the **Enter SEMM reset verification code** page you can click the **QR Code** or **Text** buttons to display your Recovery Request (Reset Request) as shown in Figure 8, or the **USB** button to save your Recovery Request (Reset Request) as a file to a USB drive, as shown in Figure 9.
+
+ 
+
+ *Figure 8. A Recovery Request (Reset Request) displayed as a QR Code*
+
+ 
+
+ *Figure 9. Save a Recovery Request (Reset Request) to a USB drive*
+
+ * To use a QR Code Recovery Request (Reset Request), use a QR reader app on a mobile device to read the code. The QR reader app will translate the QR code into an alphanumeric string. You can then email or message that string to the administrator that will produce the reset verification code with Microsoft Surface UEFI Configurator.
+ * To use a Recovery Request (Reset Request) saved to a USB drive as a file, use the USB drive to transfer the file to the computer where Microsoft Surface UEFI Configurator will be used to produce the Reset Verification Code. The file can also be copied from the USB drive on another device to be emailed or transferred over the network.
+ * To use the Recovery Request (Reset Request) as text, simply type the text directly into Microsoft Surface UEFI Configurator.
+
+8. Open Microsoft Surface UEFI Configurator from the Start menu on another computer.
+>**Note:** Microsoft Surface UEFI Configurator must run in an environment that is able to authenticate the certificate chain for the SEMM certificate.
+9. Click **Start**.
+10. Click **Recovery Request**, as shown in Figure 10.
+
+ 
+
+ *Figure 10. Click Recovery Request to begin the process to approve a Recovery Request*
+
+11. Click **Certificate Protection** to authenticate the Recovery Request with the SEMM certificate.
+12. Browse to and select your SEMM certificate file, and then click **OK**.
+13. When you are prompted to enter the certificate password as shown in Figure 11, type and confirm the password for the certificate file, and then click **OK**.
+
+ 
+
+ *Figure 11. Type the password for the SEMM certificate*
+
+14. Click **Next**.
+15. Enter the Recovery Request (Reset Request), and then click **Generate** to create a reset verification code (as shown in Figure 12).
+
+ 
+
+ *Figure 12. Enter the Recovery Request (Reset Request)*
+
+ * If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the keyboard to type the Recovery Request (Reset Request) in the provided field.
+ * If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
+ * If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request (Reset Request) file, and then click **OK**.
+
+16. The reset verification code is displayed in Microsoft Surface UEFI Configurator, as shown in Figure 13.
+
+ 
+
+ *Figure 13. The reset verification code displayed in Microsoft Surface UEFI Configurator*
+
+ * Click the **Share** button to send the reset verification code by email.
+
+17. Enter the reset verification code in the provided field on the Surface device (shown in Figure 8), and then click or press **Verify** to reset the device and unenroll the device from SEMM.
+18. Click or press **Restart now** on the **SEMM reset successful** page to complete the unenrollment from SEMM, as shown in Figure 14.
+
+ 
+
+ *Figure 14. Successful unenrollment from SEMM*
+
+19. Click **End** in Microsoft Surface UEFI Configurator to complete the Recovery Request (Reset Request) process and close Microsoft Surface UEFI Configurator.
+
+
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
new file mode 100644
index 0000000000..d44af98e0d
--- /dev/null
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -0,0 +1,226 @@
+---
+title: Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit (Surface)
+description: Find out how to perform a Windows 10 upgrade deployment to your Surface devices.
+keywords: windows 10 surface, upgrade, customize, mdt
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: surface
+ms.sitesec: library
+author: Scottmca
+---
+
+# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
+
+#### Applies to
+* Surface Pro 3
+* Surface 3
+* Surface Pro 2
+* Surface Pro
+* Windows 10
+
+In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices.
+
+If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed.
+
+#### The upgrade concept
+
+When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths – *clean installation* – allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths – *upgrade* – allows you to apply Windows to the device but retains the device’s users, apps, and settings.
+
+When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications.
+
+For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed.
+
+Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device.
+
+## Deployment tools and resources
+
+Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured:
+
+* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741)
+* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
+ * Deployment Image Servicing and Management (DISM)
+ * Windows Preinstallation Environment (Windows PE)
+ * Windows System Image Manager (Windows SIM)
+
+You will also need to have available the following resources:
+
+* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
+ >**Note:** Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
+* [Surface firmware and drivers](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
+* Application installation files for any applications you want to install, such as the Surface app
+
+## Prepare the upgrade deployment
+
+Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article.
+
+### Import Windows 10 installation files
+
+Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article.
+
+### Import Surface drivers
+In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps:
+
+1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/en-US/download/details.aspx?id=38826) in the Microsoft Download Center.
+2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
+3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
+4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
+ * WinPE x86
+ * WinPE x64
+ * Windows 10 x64
+ * Microsoft Corporation
+ * Surface Pro 4
+ * Surface Pro 3
+5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
+
+ 
+
+ *Figure 1. Import Surface Pro 3 drivers for Windows 10*
+
+6. The Import Driver Wizard displays a series of steps, as follows:
+ - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
+ - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+ - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+ - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
+7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2.
+
+ 
+
+ *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
+
+### Import applications
+
+Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
+
+There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
+
+### Create the upgrade task sequence
+
+After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified.
+
+Create the upgrade task sequence with the following process:
+
+1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
+2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
+ - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
+ >**Note:** The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+ - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
+ - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
+ - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
+ - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+ - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
+ - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+ - **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
+ - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
+
+After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence:
+
+1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
+2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence.
+3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
+4. Click the **Options** tab, and then clear the **Disable This Step** check box.
+5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step.
+6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**.
+7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
+
+ 
+
+ *Figure 3. A new Install Application step in the deployment task sequence*
+
+8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field.
+9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
+10. Select **Surface App** from the list of applications, and then click **OK**.
+11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step.
+12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
+13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options:
+
+ - **Name** – Set DriverGroup001
+ - **Task Sequence Variable** – DriverGroup001
+ - **Value** – Windows 10 x64\%Make%\%Model%
+
+ 
+
+ *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
+
+14. Select the **Inject Drivers** step, the next step in the task sequence.
+15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options:
+ * In the **Choose a selection profile** drop-down menu, select **Nothing**.
+ * Click the **Install all drivers from the selection profile** button.
+
+ 
+
+ *Figure 5. Configure the deployment task sequence to not install drivers*
+
+16. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
+
+Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section.
+
+### Deployment share rules
+
+To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE.
+
+To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
+
+```
+[Settings]
+Priority=Model,Default
+Properties=MyCustomProperty
+
+[Surface Pro 4]
+SkipTaskSequence=YES
+TaskSequenceID=Win10SP4
+
+[Surface Pro 3]
+SkipTaskSequence=YES
+TaskSequenceID=Win10SP3Up
+
+[Default]
+OSInstall=Y
+SkipCapture=YES
+SkipAdminPassword=YES
+SkipProductKey=YES
+SkipComputerBackup=YES
+SkipBitLocker=YES
+SkipBDDWelcome=YES
+SkipUserData=YES
+UserDataLocation=AUTO
+SkipApplications=YES
+SkipPackageDisplay=YES
+SkipComputerName=YES
+SkipDomainMembership=YES
+JoinDomain=contoso.com
+DomainAdmin=MDT
+DomainAdminDomain=contoso
+DomainAdminPassword=P@ssw0rd
+SkipLocaleSelection=YES
+KeyboardLocale=en-US
+UserLocale=en-US
+UILanguage=en-US
+SkipTimeZone=YES
+TimeZoneName=Pacific Standard Time
+UserID=MDTUser
+UserDomain=STNDeployServer
+UserPassword=P@ssw0rd
+SkipSummary=YES
+SkipFinalSummary=YES
+FinishAction=LOGOFF
+```
+
+
+
+For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article.
+
+### Update deployment share
+
+To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps.
+
+### Run the upgrade deployment
+
+Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps:
+
+1. Browse to the network location of your deployment share in File Explorer.
+2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard.
+3. Enter your credentials when prompted.
+4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules.
+5. The upgrade process will occur automatically and without user interaction.
+
+The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device.
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 7ab6d68a18..d0d6052781 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -20,10 +20,10 @@ author: jdeckerMS
Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- A Microsoft Edge browser window opens, showing just the test and nothing else.
+- The clipboard is cleared.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
- Students can't share, print, or record their screens.
-- Students can’t copy or paste.
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index a1fa849959..fece24bac1 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -20,10 +20,10 @@ author: jdeckerMS
The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- A Microsoft Edge browser window opens, showing just the test and nothing else.
+- The clipboard is cleared.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
- Students can't share, print, or record their screens.
-- Students can’t copy or paste.
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 9e881238b6..c0de33cc5b 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -20,10 +20,10 @@ author: jdeckerMS
Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- **Take a Test** shows just the test and nothing else.
+- **Take a Test** clears the clipboard.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
- Students can't share, print, or record their screens.
-- Students can’t copy or paste.
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md
index 3f983101a4..2836e9c7ab 100644
--- a/mdop/appv-v5/TOC.md
+++ b/mdop/appv-v5/TOC.md
@@ -25,7 +25,7 @@
#### [Deploying the App-V 5.1 Sequencer and Client](deploying-the-app-v-51-sequencer-and-client.md)
##### [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-51gb18030.md)
##### [About Client Configuration Settings 5.1](about-client-configuration-settings51.md)
-##### [How to Deploy the App-V 4.6.x and the App-V 5.1 Client on the Same Computer](how-to-deploy-the-app-v-46x-and-the-app-v--51-client-on-the-same-computer.md)
+##### [How to Deploy the App-V 4.6 and the App-V 5.1 Client on the Same Computer](how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md)
##### [How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)
##### [How to Install the Sequencer](how-to-install-the-sequencer-51beta-gb18030.md)
##### [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md)
@@ -81,11 +81,10 @@
#### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md)
##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md)
##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md)
-##### [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
-##### [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
-##### [How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
-##### [How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
-##### [How to Use an App-V 4.6 SP1 Application From an App-V 5.1 Application](how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md)
+##### [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
+##### [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md)
+##### [How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md)
+##### [How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md)
#### [Maintaining App-V 5.1](maintaining-app-v-51.md)
##### [How to Move the App-V Server to Another Computer 5.1](how-to-move-the-app-v-server-to-another-computer51.md)
#### [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
@@ -141,7 +140,7 @@
#### [Deploying the App-V 5.0 Sequencer and Client](deploying-the-app-v-50-sequencer-and-client.md)
##### [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md)
##### [About Client Configuration Settings](about-client-configuration-settings.md)
-##### [How to Deploy the App-V 4.6.x and the App-V 5.0 Client on the Same Computer](how-to-deploy-the-app-v-46x-and-the-app-v--50-client-on-the-same-computer.md)
+##### [How to Deploy the App-V 4.6 and the App-V 5.0 Client on the Same Computer](how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md)
##### [How to Install the App-V 5.0 Client for Shared Content Store Mode](how-to-install-the-app-v-50-client-for-shared-content-store-mode.md)
##### [How to Install the Sequencer](how-to-install-the-sequencer-beta-gb18030.md)
##### [How to Modify App-V 5.0 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md)
@@ -196,11 +195,10 @@
##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md)
#### [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md)
##### [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v.md)
-##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.0 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md)
-##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.0 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-50-for-a-specific-user.md)
-##### [How to Revert Extension Points from an App-V 5.0 Package to an App-V 4.6 SP2 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-sp2-package-for-all-users-on-a-specific-computer.md)
-##### [How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 SP2 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-sp2-package-for-a-specific-user.md)
-##### [How to Use an App-V 4.6 SP1 Application From an App-V 5.0 Application](how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md)
+##### [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.0 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md)
+##### [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.0 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md)
+##### [How to Revert Extension Points from an App-V 5.0 Package to an App-V 4.6 Package For All Users on a Specific Computer](how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md)
+##### [How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md)
#### [Maintaining App-V 5.0](maintaining-app-v-50.md)
##### [How to Move the App-V Server to Another Computer](how-to-move-the-app-v-server-to-another-computer.md)
#### [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md)
diff --git a/mdop/appv-v5/about-app-v-50.md b/mdop/appv-v5/about-app-v-50.md
index fbbc14a718..a015d9082d 100644
--- a/mdop/appv-v5/about-app-v-50.md
+++ b/mdop/appv-v5/about-app-v-50.md
@@ -34,7 +34,7 @@ The following list displays what is new with App-V 5.0:
- **Connection Groups** - App-V 5.0 connection groups allow you to connect and run virtual applications interactively.
-## Differences between App-4.6 and App-V 5.0
+## Differences between App-V 4.6 and App-V 5.0
The following table displays some of the differences between App-V 4.6 and App-V 5.0:
diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md
index 42cec8c337..e577b07048 100644
--- a/mdop/appv-v5/app-v-51-supported-configurations.md
+++ b/mdop/appv-v5/app-v-51-supported-configurations.md
@@ -449,6 +449,8 @@ The App-V client supports the following versions of System Center Configuration
The following App-V and System Center Configuration Manager version matrix shows all officially supported combinations of App-V and Configuration Manager.
+**Note:** Both App-V 4.5 and 4.6 have exited Mainstream support.
+
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
+
+**To manually create an EFS DRA certificate**
+1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
+
+2. Run this command:
+
+ `cipher /r:
Where `
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
+
+4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
+
+**To verify your data recovery certificate is correctly set up on an EDP client computer**
+1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
+
+2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+
+ `cipher /c
Where `
Where `
+If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
## Add an EDP policy
After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
@@ -66,60 +52,124 @@ The **Create Configuration Item Wizard** starts.
-6. On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
+6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
-The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
+The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
-## Choose which apps can access your enterprise data
-During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
+### Add app rules to your policy
+During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-**Important**
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+>**Important**
+EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ``` json
{
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ "packageIdentityName": "Microsoft.Office.OneNote",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
If you don’t see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
-
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- ```
+ >**Note**
+ Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
@@ -172,43 +222,166 @@ Path Publisher
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
-
+#### Add an AppLocker policy file
+For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
-## Manage the EDP-protection level for your enterprise data
-After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
+**To create an app rule and xml file using the AppLocker tool**
+1. Open the Local Security Policy snap-in (SecPol.msc).
+
+2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+ 
+
+3. Right-click in the right-hand pane, and then click **Create New Rule**.
+
+ The **Create Packaged app Rules** wizard appears.
+
+4. On the **Before You Begin** page, click **Next**.
+
+ 
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+ 
+
+6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+
+ 
+
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
+
+ 
+
+8. On the updated **Publisher** page, click **Create**.
+
+ 
+
+9. Review the Local Security Policy snap-in to make sure your rule is correct.
+
+ 
+
+10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+
+ The **Export policy** box opens, letting you export and save your new policy as XML.
+
+ 
+
+11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+ The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+ **Example XML file**
@@ -139,21 +189,21 @@ The steps to add your apps are based on the type of app it is; either a Universa
All files for the specified product, signed by the named publisher.
-
Publisher, Product Name, and File Name selected
+ Publisher, Product Name, and Binary name selected
Any version of the named file or package for the specified product, signed by the named publisher.
-
- Publisher, Product Name, File Name, and File Version, Exactly, selected
- Specified version of the named file or package for the specified product, signed by the named publisher.
-
-
Publisher, Product Name, File Name, and File Version, And above selected
+ Publisher, Product Name, Binary name, and File Version, and above, selected
Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
-
+ Publisher, Product Name, File Name, and File Version, And below selected
+ Publisher, Product Name, Binary name, and File Version, And below selected
Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
Publisher, Product Name, Binary name, and File Version, Exactly selected
+ Specified version of the named file or package for the specified product, signed by the named publisher.
+
+ This is the XML file that AppLocker creates for Microsoft Photos.
+
+ ```xml
+
+- Every EDP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+ The **Add or edit corporate network definition** box appears.
+
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+ 
-1. Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
- 
+3. Add as many locations as you need, and then click **OK**.
-2. Add as many locations as you need, and then click **OK**.
Network location type
@@ -216,65 +389,145 @@ After you've added a management level to your protected apps, you'll need to dec
Description
-
Enterprise Cloud Domain
- contoso.sharepoint.com,proxy1.contoso.com|
-
office.com|proxy2.contoso.comSpecify the cloud resources traffic to restrict to your protected apps.
+ Enterprise Cloud Resources
+ **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
+
contoso.visualstudio.com,proxy.contoso.comSpecify the cloud resources to be treated as corporate and protected by EDP.
-
Enterprise Network Domain
- domain1.contoso.com,domain2.contoso.com
- Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.
+ Enterprise Network Domain Names (Required)
+ corp.contoso.com,region.contoso.com
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
-
Enterprise Proxy Server
- domain1.contoso.com:80;domain2.contoso.com:137
- Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.
+ Enterprise Proxy Servers
+ proxy.contoso.com:80;proxy2.contoso.com:137
+ Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.
-
Enterprise Internal Proxy Server
- proxy1.contoso.com;proxy2.contoso.com
- Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.
+ Enterprise Internal Proxy Servers
+ contoso.internalproxy1.com;contoso.internalproxy2.com
+ Specify the proxy servers your devices will go through to reach your cloud resources.
-
Enterprise IPv4 Range
- **Starting IPv4 Address:** 3.4.0.1
-
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254Specify the addresses for a valid IPv4 value range within your intranet.
+ Enterprise IPv4 Range (Required)
+ **Starting IPv4 Address:** 3.4.0.1
+
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+ Enterprise IPv6 Range
- **Starting IPv6 Address:** 2a01:110::
-
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffSpecify the addresses for a valid IPv6 value range within your intranet.
- **Starting IPv6 Address:** 2a01:110::
+
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffSpecify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+
Neutral Resources
+ sts.contoso.com,sts.contoso2.com
+ Specify your authentication redirection endpoints for your company.
+
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
+
+**To manually create an EFS DRA certificate**
+1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
+2. Run this command:
+
+ `cipher /r:
Where `
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
+
+4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
+
+**To verify your data recovery certificate is correctly set up on an EDP client computer**
+1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
+
+2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+
+ `cipher /c
Where `
Where `
-
-
-4. Type the following to convert the code integrity policy to a binary format:
- ``` syntax
- ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
- ```
-Once you have completed these steps, the Device Guard policy binary file (DeviceGuardPolicy.bin) and original xml file (InitialScan.xml) will be available on your desktop.
->**Note:** We recommend that you keep a copy of InitialScan.xml to use if you need to merge this code integrity policy with another policy, or update policy rule options.
-
-## Related topics
-[Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
-
-
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index f82c2815c0..3974a748e2 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -29,7 +29,8 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-Credential Guard also does not allow older variants of NTLM, unconstrained Kerberos delegation, and Kerberos authentication protocols and cipher suites when using default derived credentials, including NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES.
+Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
+
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
@@ -80,7 +81,7 @@ The PC must meet the following hardware and software requirements to use Credent
-
-
-
- Rule level
- Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index 07afd4227c..024ddab8e2 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ See the [View and organize the Windows Defender Advanced Threat Protection Alert
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
## Machines at risk
-This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
+This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
@@ -54,7 +54,7 @@ Click the name of the machine to see details about that machine. See the [Invest
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
## Status
-The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
+The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
@@ -66,7 +66,7 @@ The **Machines reporting** tile shows a bar graph that represents the number of
## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
-Active malware is defined as threats that are actively executing at the time of detection.
+Active malware is defined as threats that were actively executing at the time of detection.
Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
new file mode 100644
index 0000000000..a20497761c
--- /dev/null
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -0,0 +1,327 @@
+---
+title: Deploy catalog files to support code integrity policies (Windows 10)
+description: This article describes how to deploy catalog files to support code integrity policies, one of the main features that are part of Device Guard in Windows 10.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+author: brianlic-msft
+---
+
+# Deploy catalog files to support code integrity policies
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Catalog files can be important in your deployment of code integrity polices if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create code integrity policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
+
+For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Device Guard."
+
+## Create catalog files
+
+The creation of a catalog file is a necessary step for adding an unsigned application to a code integrity policy.
+
+To create a catalog file, you use a tool called **Package Inspector**. You must also have a code integrity policy deployed in audit mode on the computer on which you run Package Inspector, because Package Inspector does not always detect installation files that have been removed from the computer during the installation process.
+
+> **Note** When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager), later in this topic.
+
+1. Be sure that a code integrity policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
+
+ Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
+
+ > **Note** This process should **not** be performed on a system with an enforced Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
+
+2. Start Package Inspector, and then start scanning a local drive, for example, drive C:
+
+ ` PackageInspector.exe Start C:`
+
+ > **Note** Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
+
+3. Copy the installation media to the local drive (typically drive C).
+
+ By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not to be installed.
+
+4. Install the application. Install it to the same drive that the application installer is located on (the drive you are scanning). Also, while Package Inspector is running, do not run any installations or updates that you don't want to capture in the catalog.
+
+ > **Important** Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time.
+
+5. Start the application.
+
+6. Ensure that product updates are installed, and downloadable content associated with the application is downloaded.
+
+7. Close and reopen the application.
+
+ This step is necessary to ensure that the scan has captured all binaries.
+
+8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it is updated, and then close and reopen the application.
+
+9. When you have confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate.
+
+ For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:.
+
+ ` $ExamplePath=$env:userprofile+"\Desktop"`
+
+ ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+
+ ` $CatDefName=$ExamplePath+"\LOBApp.cdf"`
+
+ ` PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
+
+> **Note** Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
+
+When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor.
+
+To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers.
+
+For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
+
+For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).
+
+## Catalog signing with SignTool.exe
+
+In this section, you sign a catalog file you generated by using PackageInspector.exe, as described in the previous section, [Create catalog files](#create-catalog-files). In this example, you need the following:
+
+- SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
+
+- The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created
+
+- An internal certification authority (CA) code signing certificate or purchased code signing certificate
+
+If you do not have a code signing certificate, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate.
+
+To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session.
+
+1. Initialize the variables that will be used:
+
+ ` $ExamplePath=$env:userprofile+"\Desktop"`
+
+ ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+
+ > **Note** This example specifies the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, update the *$ExamplePath* and *$CatFileName* variables with the correct information.
+
+2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+
+3. Sign the catalog file with Signtool.exe:
+
+ `
OS version
Required TPM
@@ -94,7 +95,7 @@ The PC must meet the following hardware and software requirements to use Credent
**Set-RuleOption -FilePath $InitialCIPolicy -Option 0**
+
+ > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
+
+ > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
+
+ > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+
+3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the code integrity policy to a binary format:
+
+ ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
+
+> **Note** We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
+
+We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies).
+
+## Audit code integrity policies
+
+When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
+
+> **Note** Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
+
+**To audit a code integrity policy with local policy:**
+
+1. Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
+
+2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
+
+ > **Notes**
+
+ > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run.
+
+ > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
+
+3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+
+ > **Notes**
+
+ > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
+
+ > - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
+
+ > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your code integrity policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+ 
+
+ Figure 1. Deploy your code integrity policy
+
+4. Restart the reference system for the code integrity policy to take effect.
+
+5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2.
+
+ 
+
+ Figure 2. Exceptions to the deployed code integrity policy
+
+ You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
+
+6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your code integrity policy, this is a good time to create it. For information, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
+
+Now that you have a code integrity policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
+
+## Create a code integrity policy that captures audit information from the event log
+
+Use the following procedure after you have been running a computer with a code integrity policy in audit mode for a period of time. When you are ready to capture the needed policy information from the event log (so that you can later merge that information into the original code integrity policy), complete the following steps.
+
+
+
+1. Review the audit information in the event log. From the code integrity policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
+
+ Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in "Deploy code integrity policies: policy rules and file rules."
+
+ Your event log might also contain exceptions for applications that you eventually want your code integrity policy to block. If these appear, make a list of these also, for a later step in this procedure.
+
+2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
+
+ ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+ ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+3. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to generate a new code integrity policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+
+ ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+
+ > **Note** When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+
+4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+
+ - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
+
+ - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing code integrity policy, the policy will treat the applications as trusted, and allow them to run.
+
+You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
+
+> **Note** You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
+
+## Merge code integrity policies
+
+When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
+
+> **Note** The following example uses the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
+
+To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
+
+1. Initialize the variables that will be used:
+
+ ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+ ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+ ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+ ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
+
+ ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
+
+ > **Note** The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
+
+2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy:
+
+ ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
+
+3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the merged code integrity policy to binary format:
+
+ ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
+
+Now that you have created a new code integrity policy (for example, called **NewDeviceGuardPolicy.bin**), you can deploy the policy to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy) section.
+
+## Enforce code integrity policies
+
+Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
+
+> **Note** Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
+
+1. Initialize the variables that will be used:
+
+ ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+ ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
+
+ ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
+
+ ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
+
+ > **Note** The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+
+2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
+
+ To ensure that these options are enabled in a policy, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
+
+ ` Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
+
+ ` Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
+
+3. Copy the initial file to maintain an original copy:
+
+ ` copy $InitialCIPolicy $EnforcedCIPolicy`
+
+4. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to delete the audit mode rule option:
+
+ ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
+
+ > **Note** To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
+
+5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format:
+
+ ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
+
+Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy). You can also use other client management software to deploy and manage the policy.
+
+## Signing code integrity policies with SignTool.exe
+
+Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, we recommend that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
+
+Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA.
+
+Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath
+
+
+Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11.
+
+
+
+Figure 11. Device Guard properties in the System Summary
+
+## Related topics
+
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md
index 6ac463047e..5e60c5e980 100644
--- a/windows/keep-secure/device-guard-certification-and-compliance.md
+++ b/windows/keep-secure/device-guard-certification-and-compliance.md
@@ -1,107 +1,4 @@
---
title: Device Guard certification and compliance (Windows 10)
-description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
-ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: brianlic-msft
+redirect_url: device-guard-deployment-guide.md
---
-# Device Guard certification and compliance
-**Applies to**
-- Windows 10
-
-Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
-Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
-For details on how to implement Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
-## Why use Device Guard
-With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
-Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
-
-### Advantages to using Device Guard
-
-You can take advantage of the benefits of Device Guard, based on what you turn on and use:
-- Helps provide strong malware protection with enterprise manageability
-- Helps provide the most advanced malware protection ever offered on the Windows platform
-- Offers improved tamper resistance
-
-## How Device Guard works
-
-Device Guard restricts the Windows 10 operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
-- User Mode Code Integrity (UMCI)
-- New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
-- Secure Boot with database (db/dbx) restrictions
-- Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
-- Optional: Trusted Platform Module (TPM) 1.2 or 2.0
-Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10. After that, Device Guard works to help protect your devices:
-1. Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 starts before anything else.
-2. After securely starting up the Windows boot components, Windows 10 can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
-3. Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
-4. At the same time that Windows 10 starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
-## Required hardware and software
-The following table shows the hardware and software you need to install and configure to implement Device Guard.
-
+
+
+
+Properties
+Description
+Valid values
+
+
+AvailableSecurityProperties
+This field helps to enumerate and report state on the relevant security properties for Device Guard.
+
+
+
+InstanceIdentifier
+A string that is unique to a particular device.
+Determined by WMI.
+
+
+RequiredSecurityProperties
+This field describes the required security properties to enable virtualization-based security.
+
+
+
+SecurityServicesConfigured
+This field indicates whether the Credential Guard or HVCI service has been configured.
+
+
+
+SecurityServicesRunning
+This field indicates whether the Credential Guard or HVCI service is running.
+
+
+
+Version
+This field lists the version of this WMI class.
+The only valid value now is 1.0.
+
+
+VirtualizationBasedSecurityStatus
+This field indicates whether VBS is enabled and running.
+
+
+
+
+PSComputerName
+This field lists the computer name.
+All valid values for computer name.
+
-
-
-## Related topics
-[Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
-[Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
-
-
diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md
index f98d7216ea..e82f511105 100644
--- a/windows/keep-secure/device-guard-deployment-guide.md
+++ b/windows/keep-secure/device-guard-deployment-guide.md
@@ -5,1162 +5,49 @@ ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-ms.pagetype: security, devices
-author: challum
+author: brianlic-msft
---
# Device Guard deployment guide
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016
-Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.
+Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
-## Introduction to Device Guard
+This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. It includes:
-Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation, which results in financial loss. Many of these modern attackers are sponsored by nation states with unknown motives and large cyber terrorism budgets. These threats can enter a company through something as simple as an email message and can permanently damage its reputation for securing its software assets, as well as having significant financial impact. Windows 10 introduces several new security features that help mitigate a large percentage of today’s known threats.
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
-It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until malware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already been noticed. This signature-based system focuses on reacting to an infection and ensuring that the particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer must be infected first. The time between the detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe.
+- [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
-In addition to antimalware solutions, there are some “whitelisting” technologies available, including AppLocker. These technologies perform single instance, or blanket-allow or blanket-deny rules for running applications. Although this is more preventative than signature-based detection, it requires significant ongoing maintenance. In Windows 10, these applications are most effective when they are deployed alongside Microsoft Device Guard.
+- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-Device Guard breaks the current model of detection first-block later, and allows only trusted applications to run, period. This methodology is consistent with the successful prevention strategy for mobile phone security. With Device Guard, Microsoft has changed how the Windows operating system handles untrusted applications, which makes its defenses difficult for malware to penetrate. This new prevention versus detection model provides Windows clients with the necessary security for modern threats and, when implemented, makes most of today’s threats completely obsolete from day one.
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
-Device Guard's features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security (VBS) options and the trust-nothing mobile device operating system model, which makes its defenses much more difficult for malware to penetrate. By using configurable code integrity policies, organizations are able to choose exactly which applications are allowed to run in their environment. Configurable code integrity is not limited to Windows Store applications and can be used with existing unsigned or signed Win32 applications, without the requirement that the application be repackaged. In addition, configurable code integrity can be deployed as an individual feature if organizations don’t possess the required hardware for Device Guard. Along with code integrity, Windows 10 leverages advanced hardware features such as CPU virtualization extensions, input/output memory management units (IOMMUs), Trusted Platform Module (TPM), and second-level address translation (SLAT) to offer comprehensive modern security to its users. Device Guard deployed with configurable code integrity and Credential Guard will be among the most impactful client-side security deployments an organization can implement today. In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as Credential Guard and AppLocker.
+ - [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
-## Device Guard overview
-Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called *configurable code integrity*, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines—exactly what has made mobile phone security so successful. In addition, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing provides organizations with a way to trust individual third-party applications. Device Guard—with configurable code integrity, Credential Guard, and AppLocker—is the most complete security defense that any Microsoft product has ever been able to offer a Windows client.
+ - [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
-Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware-considerations) section.
+ - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
-Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. In addition to an overview of each feature, this guide walks you through the configuration and deployment of them.
+ - [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
-**Configurable code integrity**
-
-The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application that is running in user mode needs additional memory, the user mode process must request the resources from kernel mode, not directly from RAM.
-
-Code integrity is the component of the Windows operating system that verifies that the code Windows is running is trusted and safe. Like the operating system, Windows code integrity also contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from running unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the standard for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI standards. Beginning with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Phone devices, which has made it difficult for these devices to be infected with viruses and malware. In Windows 10, these same successful UMCI standards are available.
-
-Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks. By using code integrity policies, an enterprise can select exactly which binaries are allowed to run in both user mode and kernel mode, from the signer to the hash level. When completely enforced, it makes user mode in Windows function like a mobile phone, by allowing only specific applications or specific signatures to be trusted and run. This feature alone fundamentally changes the security in an enterprise. This additional security is not limited to Windows apps and does not require that an application be rewritten to be compatible with your existing, unsigned applications. You can implement configurable code integrity without enabling Device Guard, but it is intended to run in conjunction with Device Guard when supported hardware is available. For more information about how to configure, deploy, and manage code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
-
-**Hardware security features and virtualization-based security**
-
-The Device Guard core functionality and protection start at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel Virtualization Technology (VT-x) and AMD-V, will be able to take advantage of virtualization-based security (VBS) features that enhance Windows security. Device Guard leverages VBS to isolate core Windows services that are critical to the security and integrity of the operating system. This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today. One of these isolated services, called the Windows Code Integrity service, drives the Device Guard kernel mode configurable code integrity feature. This prevents code that has penetrated the kernel mode operations from compromising the code integrity service.
-Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the virtualization container that hosts the Windows security services, such as code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section. For information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
-
-**Device Guard with AppLocker**
-
-Although AppLocker is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-
->**Note:** One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
-AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
-
-**Device Guard with Credential Guard**
-
-Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
-
-**Unified manageability**
-
-You can easily manage Device Guard features by using the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard:
-
-- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simple to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. For more information about catalog files, see the [Catalog files](#catalog-files) section.
-- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information about how to deploy catalog files by using System Center Configuration Manager, see the [Deploy catalog files with System Center Configuration Manager](#deploy-cat-sccm) section.
-- **Microsoft Intune**. In a future release of Microsoft Intune, organizations will be able to leverage Intune for deployment and management of code integrity policies and catalog files.
-- **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
-
-These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section.
-
-## Plan for Device Guard
-
-In this section, you will learn about the following topics:
-
-- [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization.
-- [Device Guard deployment scenarios](#device-guard-deployment-scenarios). When you plan for Device Guard deployment, Microsoft recommends that you categorize each device in your organization into a deployment scenario. These scenarios will provide a roadmap for your Device Guard deployment.
-- [Code signing adoption](#code-signing-adoption). Code signing is important to the security that Device Guard provides. This section outlines the options for code signing and the benefits and disadvantages of each method.
-- [Hardware considerations](#hardware-considerations). Several Device Guard features require advanced hardware. This section outlines the requirements for each of those features and what to look for during your next hardware refresh.
-
-## Approach enterprise code integrity deployment
-
-Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise:
-
-1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments’ needs.
-
- To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments’ software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
-
-2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) section.
-
-3. **Audit and merge code integrity policies**. Microsoft recommends that you test code integrity policies in audit mode before you enforce them. Audit mode allows administrators to run the code integrity policy on a system but not actually block anything. Rather than not allowing applications to run, events are logged with each exception to the policy. This way, you can easily highlight any issues that were not discovered during the initial scan. You can create additional code integrity policies by using the audit events and merge them into the existing policy. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
-
-4. **Assess LOB applications that are currently unsigned, and create a catalog file for them**. Catalog files allow organizations to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to. These applications can be in-house applications or from third parties, and the process does not require any repackaging of the application. When you create code integrity policies at a rule level above hash values, you will not discover unsigned applications. To include these applications in your code integrity policies, simply create, sign, and deploy a catalog file. For information about catalog files, see the [Catalog files](#catalog-files) section.
-
-5. **Enable desired hardware security features**. Each type of device found in the [Device Guard deployment scenarios](#device-guard-deployment-scenarios) section takes advantage of different software and hardware integrity configurations. You should assess hardware-based security features separately from code integrity policies because they provide complementary functionality. For information about how to configure Device Guard hardware-based security features, see the [Configure hardware-based security features](#configure-hardware-based-security-features) section.
-
-6. **Deploy code integrity policies and catalog files**. After you have created and signed the necessary catalog files and created and audited code integrity policies, you are ready to deploy them in phases. Microsoft strongly recommends that you deploy these components to a test group of users, even after your IT organization has tested and vetted them. This provides a final quality control validation before you deploy the catalog files and policies more broadly. For information about how to deploy catalog files with Group Policy, see the [Deploy catalog files with Group Policy](#deploy-catalog-files-with-group-policy) section. For additional information about how to deploy code integrity policies, see the [Deploy code integrity policies with Group Policy](#deploy-code-integrity-policies-with-group-policy) section.
-
-## Device Guard deployment scenarios
-
-To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-to-enterprise-code-integrity-deployment) section.
-
-**Fixed-workload devices**
-
-The lists of approved applications on fixed-workload devices rarely change as they perform the same tasks day after day. Examples of such devices include kiosks, point-of-sale systems, and call center PCs. These devices could easily employ the full capabilities of Device Guard and would require little management or policy modification. Device Guard implementation to these devices is painless and requires little ongoing administration. With Device Guard fully implemented, users are able to run only those applications that the IT department installs, manages, and trusts.
-Device Guard components that are applicable to fixed-workload devices include:
-
-- KMCI VBS protection
-- Enforced UMCI policy
-
-**Fully managed devices**
-
-Fully managed devices are those for which the IT department restricts the software that is installed and run on them, but allows users to request installation of additional software or provides a list of approved software in an application catalog. Examples of such devices include locked-down, company-owned desktops and laptops. With these devices, establish an initial baseline code integrity policy and enforce the code integrity policy. The IT department manages the policies and updates the devices when new applications are approved or are provided in the System Center Configuration Manager catalog.
-Device Guard components that are applicable to fully managed devices include:
-
-- KMCI VBS protection
-- Enforced UMCI policy
-
-In this scenario, an application list is provided and trusted, and the trust policy is constantly re-evaluated when a user requests a new application. When an application is trusted across all of these devices, new user requests for that application do not require a policy update (alignment with application catalog). In addition, you can couple this with an onboarding process for new applications that you should add to the central application catalog. Initial implementation of Device Guard to fully managed devices is simple but does require more administrative overhead to manage trusted signatures of newly requested and approved applications.
-
-**Lightly managed devices**
-
-Lightly managed devices are company-owned machines over which users have full control, which includes what is installed on them. These devices run the organization’s antivirus solution and client management tools but are not restricted by software request or compliance policies.
-
-Device Guard components that are applicable to lightly managed devices include:
-
-- KMCI VBS protection
-- UMCI policy in Audit mode
-
-**Bring Your Own Device**
-
-Device Guard is not a good way to manage devices in a Bring Your Own Device (BYOD) model. When employees are allowed to bring their own devices, the management of user-mode applications on them can make it difficult for users to use their own devices when they are not at work. In addition, Device Guard functionality is difficult to maintain from an administrative perspective. For devices in this group, explore alternate hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune.
-
-## Code signing adoption
-
-Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy.
-For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-line-of-business-applications) section.
-
-### Existing line-of-business applications
-
-Until now, existing LOB applications were difficult to trust if they were signed by a source other than the Windows Store or not signed at all. With Windows 10, signing your existing LOB and third-party unsigned applications is simplified. This new signing method does not require that applications be repackaged in any way. With catalog files, administrators can sign these unsigned applications simply by monitoring for an installation and initial startup. By using this monitoring information, an administrator can generate a catalog file. Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated every time an application is updated and therefore require an updated catalog file. For simplified administration, consider incorporating embedded code signing into your application development process. For more information about how to generate catalog files, see the [Catalog files](#catalog-files) section.
-
->**Note:** Catalog files are lists of individual binaries’ hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.
-
-When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section.
-
-**Application development**
-
-Although in-house applications can be signed after packaging by using catalog files, Microsoft strongly recommends that embedded code signing be incorporated into your application development process. When signing applications, simply add the code signing certificate used to sign your applications to your code integrity policy. This ensures that your code integrity policy will trust any future application that is signed with that certificate. Embedding code signing into any in-house application development process is beneficial to your IT organization as you implement code integrity policies.
-
-## Hardware considerations
-
-Careful consideration about which hardware vendor and specific models to purchase during your next hardware refresh is vitally important to the success of your organization’s Device Guard implementation efforts. In alignment with your current hardware life cycle, consider the process that is discussed in the [Approach enterprise code integrity deployment](#approach-enterprise-code-integrity-deployment) section when you determine the appropriate order of hardware replacement in your organization. Device Guard should be deployed in phases; therefore, you have time to methodically plan for its implementation.
-
-Different hardware features are required to implement the various features of Device Guard. There will likely be some individual features that you will be able to enable with your current hardware and some that you will not. However, for organizations that want to implement Device Guard in its entirety, several advanced hardware features will be required. For additional details about the hardware features that are required for Device Guard components, see the following table.
-
-
-
-
-
-Requirement
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Device Guard deployment
-
-In this section, you learn about the following topics:
-
-- [Configure hardware-based security features](#configure-hardware-based-security-features). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe.
-- [Catalog files](#catalog-files). In this section, you create, sign, and deploy catalog files. You deploy the catalog files by using both Group Policy and System Center Configuration Manager. Also, you use System Center Configuration Manager to inventory the deployed catalog files for reporting purposes.
-- [Code integrity policies](#code-integrity-policies). This section provides information on how to create, audit, service, merge, deploy, and remove signed and unsigned configurable code integrity policies.
-
-## Configure hardware-based security features
-
-Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:
-
-1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware-considerations) section.
-2. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. For details on which Windows features are needed, see the [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security) section.
-3. **Enable desired features**. When the necessary hardware and Windows features have been enabled, you are ready to enable the desired hardware-based security features. For UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. For information about how to enable VBS protection of the KMCI service, see the [Enable virtualization-based protection of kernel mode code integrity](#enable-virtualbased) section. Finally, for information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
-
-### Windows feature requirements for virtualization-based security
-
-In addition to the hardware requirements found in the [Hardware considerations](#hardware-considerations) section, you must enable certain operating system features before you can enable VBS: Microsoft Hyper-V and isolated user mode (shown in Figure 1).
-
->**Note:** You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
-
-
-
-Figure 1. Enable operating system features for VBS
-
-After you enable these features, you can configure any hardware-based security features you want. For information about how to enable virtualization-based protection of kernel-mode code integrity, see the [Enable virtualization-based protection of kernel-mode code integrity](#enable-virtualization-based-protection-of-kernel-mode-code-integrity) section. For information about how to enable UEFI Secure Boot, see the [Enable UEFI Secure Boot](#enable-unified-extensible-interface-secure-boot) section. Finally, for additional information about how to enable Credential Guard, see the [Enable Credential Guard](#enable-credential-guard) section.
-
-### Enable Unified Extensible Firmware Interface Secure Boot
-
-Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in the [Hardware considerations](#hardware-considerations) section. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10:
-
->**Note:** There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include DMA protection (IOMMU) technologies. Without the presence of IOMMUs and with DMA protection disabled, customers will lose protection from driver-based attacks.
-
-1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
-2. Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
-3. Set the **RequirePlatformSecurityFeatures DWORD** value as appropriate:
-
- - Set this value to **1** to enable the **Secure Boot** option.
- - Set this value to **2** to enable the **Secure Boot with DMA Protection** option.
-
-4. Restart the client machine.
-
-Unfortunately, it would be time consuming to perform these steps manually on every protected machine in your enterprise. Group Policy offers a much simpler way to deploy UEFI Secure Boot to your organization. This example creates a test organizational unit (OU) called *DG Enabled PCs*. If you prefer to link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups, you can certainly do so.
-
->**Note:** Microsoft recommends that you test-enable this feature on a group of test machines before you deploy it to machines that are currently deployed to users.
-
-**Use Group Policy to deploy Secure Boot**
-
-
-
-1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
-
- 
-
- Figure 2. Create a new OU-linked GPO
-
-2. Name the new GPO **Contoso Secure Boot GPO Test**. This example uses *Contoso Secure Boot GPO Test* as the name of the GPO. You can choose any name for this example. Ideally, the name would align with your existing GPO naming convention.
-
-3. To open the Group Policy Management Editor, right-click the new GPO, and then click **Edit**.
-
-4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
- 
-
- Figure 3. Enable VBS
-
-5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
-
- 
-
- Figure 4. Enable Secure Boot
-
- >**Note:** Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMU, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
-
-6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.
-
-7. Check the test computer’s event log for Device Guard GPOs.
-
- Processed Device Guard policies are logged in event viewer at Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
-
-### Enable virtualization-based security of kernel-mode code integrity
-
-Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in the [Hardware considerations](#hardware-considerations) section, and enable the Windows features discussed in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-featurerrequirements) section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.
-
->**Note:** All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines.
-
-To configure virtualization-based protection of KMCI manually:
-
-1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
-2. Set the **HypervisorEnforcedCodeIntegrity DWORD** value to **1**.
-3. Restart the client computer.
-
-It would be time consuming to perform these steps manually on every protected machine in your enterprise. Instead, use Group Policy to deploy virtualization-based protection of KMCI. This example creates a test OU called *DG Enabled PCs*, which you will use to link the GPO. If you prefer to link the policy to an existing OU rather than create a test OU and scope the policy by using appropriately named computer security groups, that is another option.
-
->**Note:** Microsoft recommends that you test-enable this feature on a group of test computers before you deploy it to machines that are currently deployed to users. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
-
-To use Group Policy to configure VBS of KMCI:
-
-1. Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
-
- 
-
- Figure 5. Create a new OU-linked GPO
-
-2. Name the new GPO **Contoso VBS CI Protection GPO Test**.
-
- This example uses *Contoso VBS CI Protection GPO Test* as the name of the GPO. You can choose any name you prefer for this example. Ideally, this name would align with your existing GPO naming convention.
-
-3. Open the Group Policy Management Editor: Right-click the new GPO, and then click **Edit**.
-
-4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
- 
-
- Figure 6. Enable VBS
-
-5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
-
- 
-
- Figure 7. Enable VBS of KMCI
-
-6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
-
-7. Check the test client event log for Device Guard GPOs.
-
- Processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational. When the **Turn On Virtualization Based Security** policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.
-
-### Enable Credential Guard
-
-Credential Guard provides an additional layer of credential protection specifically for domain users by storing the credentials within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials. In addition to the client-side enablement of Credential Guard, you can deploy additional mitigations at both the Certification Authority and domain controller level to prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
-
-Before you begin this process, verify that the desired system meets the hardware requirements for VBS found in the [Hardware considerations](#hardware) section, and that you have enabled the Windows features laid out in the [Virtualization-based security Windows feature requirements](#virtualization-based-security-windows-feature-requirements) section. When validated, you can enable Credential Guard manually, by configuring the appropriate registry subkeys, or through Group Policy deployment.
-
-To configure VBS of Credential Guard manually:
-
-1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa** registry subkey.
-2. Set the **LsaCfgFlags DWORD** value to **1**.
-3. Restart the client computer.
-
-To avoid spending an unnecessary amount of time in manual deployments, use Group Policy to deploy Credential Guard to your organization. This example creates a test OU called *DG Enabled PCs*. To enable Credential Guard, you can link to any OU, and then scope the GPO’s application by using security groups.
-
->**Note:** Microsoft recommends that you enable Credential Guard before you join a machine to the domain to ensure that all credentials are properly protected. Setting the appropriate registry subkeys during your imaging process would be ideal to achieve this protection.
-
-To use Group Policy to enable Credential Guard:
-
-1. Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here** .
-
- 
-
- Figure 8. Create a new OU-linked GPO
-
-2. Name the new GPO **Contoso Credential Guard GPO Test**.
-
- This example uses *Contoso Credential Guard GPO Test* as the name of the GPO. You can choose any name you prefer for this example. Ideally, this name would align with your existing GPO naming convention.
-
-3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-
-4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
- 
-
- Figure 9. Enable VBS
-
-5. Select the **Enabled** option, and then select the **Enable Credential Guard** check box.
-
- 
-
- Figure 10. Enable Credential Guard
-
-6. Close Group Policy Management Editor, and then restart the Windows 10 test computer.
-
- >**Note:** The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard.
-
-7. Check the test client event log for Device Guard GPOs.
-
->**Note** All processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational.
-
-For additional information about how Credential Guard works as well as additional configuration options, please refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
-
-**Validate enabled Device Guard hardware-based security features**
-
-Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
-
-`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
-
->**Note:** The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
-
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.
-
-Table 1. Win32\_DeviceGuard properties
-
-
-
-
-
-Requirement
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the
-**System Summary** section, as shown in Figure 11.
-
-
-
-Figure 11. Device Guard properties in the System Summary
-
-## Catalog files
-
-Enforcement of Device Guard on a system requires that every trusted application have a signature or its binary hashes added to the code integrity policy. For many organizations, this can be an issue when considering unsigned LOB applications. To avoid the requirement that organizations repackage and sign these applications, Windows 10 includes a tool called Package Inspector that monitors an installation process for any deployed and executed binary files. If the tool discovers such files, it itemizes them in a catalog file. These catalog files offer you a way to trust your existing unsigned applications, whether developed in house or by a third party, as well as trust signed applications for which you do not want to trust the signer but rather the specific application. When created, these files can be signed, the signing certificates added to your existing code integrity policies, and the catalog files themselves distributed to the clients.
-
->**Note:** The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files.
-
-### Create catalog files
-
-The creation of catalog files is the first step to add an unsigned application to a code integrity policy. To create a catalog file, copy each of the following commands into an elevated Windows PowerShell session, and then complete the steps:
-
->**Note:** When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager) section.
-
-1. Be sure that a code integrity policy is currently running in audit mode.
-
- Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-integrity-policies-from-golden-pcs) and [Audit code integrity policies](#audit-code-integrity-policies) sections should be deployed, in audit mode, to the system on which you are running Package Inspector.
-
- **Note**
- This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
-
-2. Start Package Inspector, and then scan drive C:
-
- `PackageInspector.exe Start C:`
-
- >**Note:** Package inspector can monitor installations on any local drive. In this example, we install the application on drive C, but any other drive can be used.
-
-3. Copy the installation media to drive C.
-
- By copying the installation media to drive C, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not be installed.
-
-4. Install and launch the application.
-
- Install the application to drive C. When the installation is finished, launch the application and ensure that any product updates are installed and any downloadable content caught during the scan. When finished, close and
- reopen the application once again to ensure that the scan has captured all binaries.
-
- >**Note:** Every binary that is run while Package Inspector is running will be captured in the catalog. Therefore, be sure not to run additional installations or updates during the scan to minimize the risk of trusting the incorrect binaries. Alternatively, if you want to add multiple applications to a single catalog file, simply repeat the installation and run process while the current scan is running.
-
-5. Stop the scan, and then generate definition and catalog files. When application installation and initial setup are finished, stop the Package Inspector scan and generate the catalog and definition files on your desktop by using the following commands:
-
- `$ExamplePath=$env:userprofile+"\Desktop"`
- `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
- `$CatDefName=$ExamplePath+"\LOBApp.cdf"`
- `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
-
->**Note:** This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values.
-When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe) section.
-
-### Catalog signing with SignTool.exe
-
-Device Guard makes it easy for organizations to sign and trust existing unsigned LOB applications. In this section, you sign a catalog file you generated in a previous section by using PackageInspector.exe. For information about how to create catalog files, see the [Create catalog files](#create-catalog-files) section. In this example, you need the following:
-
-- SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
-- The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created
-- Internal certification authority (CA) code signing certificate or purchased code signing certificate
-
-If you do not have a code signing certificate, please see the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section for a walkthrough of how to create one. In addition to using the certificate you create in the Create a Device Guard code signing certificate section, this example signs the catalog file that you created in the [Create catalog files](#create-catalog-files) section. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session:
-
-1. Initialize the variables that will be used:
-
- '$ExamplePath=$env:userprofile+"\Desktop"'
-
- '$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"'
-
- >**Note:** In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information.
-
-2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing user’s personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-a-device-guard-code-signing-certificate) section.
-
-3. Sign the catalog file with Signtool.exe:
-
- `
-
-
-
-Properties
-Description
-Valid values
-
-
-AvailableSecurityProperties
-This field helps to enumerate and report state on the relevant security properties for Device Guard.
-
-
-
-InstanceIdentifier
-A string that is unique to a particular device.
-Determined by WMI.
-
-
-RequiredSecurityProperties
-This field describes the required security properties to enable virtualization-based security.
-
-
-
-SecurityServicesConfigured
-This field indicates whether the Credential Guard or HVCI service has been configured.
-
-
-
-SecurityServicesRunning
-This field indicates whether the Credential Guard or HVCI service is running.
-
-
-
-Version
-This field lists the version of this WMI class.
-The only valid value now is 1.0.
-
-
-VirtualizationBasedSecurityStatus
-This field indicates whether VBS is enabled and running.
-
-
-
-
-PSComputerName
-This field lists the computer name.
-All valid values for computer name.
-
-
-
-4. Copy the app installation media to your C:\\ drive, and then install and run the program.
-
- Copying the media to your local drive helps to make sure that the installer and its related files are included in your catalog file. If you miss the install files, your Code Integrity Policy might trust the app to run, but not to install. After you've installed the app, you should check for updates. If updates happen while the app is open, you should close and restart the app to make sure everything is caught during the inspection process.
-
- > **Note:** Because the Package Inspector creates a log entry in the catalog for every binary laid down on the file system, we recommend that you don't run any other installations or updates during the scanning process.
-
-5. **Optional:** If you want to create a multi-app catalog (many apps included in a single catalog file), you can continue to run Steps 2-3 for each additional app. After you've added all of the apps you want to add, you can continue to Step 5.
- > **Note: ** To streamline your process, we suggest:
- - **Actively supported and updated apps.** Create a single catalog file for each app.
- - **Legacy apps, non-active or not updated.** Create a single catalog file for all of your legacy apps.
-
-6. Stop the scanning process and create the .\\InspectedPackage.cat and InspectedPackage.cdf files for your single app in your specified location, by typing:
- ``` syntax
- PackageInspector.exe stop c:
- ```
-You can also use the `scan` command in place of using both `start` and `stop` if you want to create a catalog of files that are already present on your hard drive. The `scan` command recursively scans a specified directory and includes all signable files in the catalog. You can scan a specified directory by typing:
-``` syntax
-PackageInspector.exe scan c:\
-
-
-
- Option
- Description
-
-
-
-
-
-
-
-
-You can add additional parameters to your catalog beyond what's listed here. For more info, see the [MakeCat](http://go.microsoft.com/fwlink/p/?LinkId=618024) topic.
-
-## Sign your catalog file using Sign Tool
-
-You can sign your catalog file using Sign Tool, located in the Windows 7 or later Windows Software Development Kit (SDK) or by using the Device Guard signing portal. For details on using the Device Guard signing portal, see [Device Guard signing](http://go.microsoft.com/fwlink/p/?LinkID=698760).
-This process shows how to use a password-protected Personal Information Exchange (.pfx) file to sign the catalog file.
-
-> **Important:** To use this tool, you must have an internal certificate authority code signing certificate, or a code signing certificate issued by an external third-party certificate authority.
-
-**To use Sign Tool**
-
-1. Check that your code signing certificates have been imported into your certificate store or that they're on the file system.
-2. Open SignTool.exe and sign the catalog file, based on where your certificate is stored.
- If you are using the PFX from a file system location:
- ``` syntax
- signtool sign /f <\\SignCertLocation> /p <\\password> /fd sha256 /v
- ```
- If you have imported the certificate into your cert store:
- ``` syntax
- signtool sign /n <\\CertSubjectName> /fd sha256 /v
-
-
-
-Option
-Description
-
-
-
-
-
-
-CAT for a catalog file, CDF for a catalog definition file or list for a delimited list of files.
-
--out list.
-
-
-
-
-
-
-
-[true|false]True to add the hashes or False to not add the hashes.
-
-
-
-
-
-
-
-
-
- For more detailed info and examples using the available options, see the [SignTool.exe (Sign Tool)](http://go.microsoft.com/fwlink/p/?LinkId=618026) topic.
-
-3. In File Explorer, right-click your catalog file, click **Properties**, and then click the **Digital Signatures** tab to make sure your catalog file's digital signature is accurate.
-4. Copy your catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} and test the file.
-
- >**Note:** For testing purposes, you can manually copy your file to this location. However, we recommend that you use Group Policy to copy the catalog file to all of your devices for large-scale implementations.
-
-## Troubleshooting the Package Inspector
-
-If you see "Error 1181" while stopping the Package Inspector, you'll need to increase your USN journal size and then clear all of the cached data before re-scanning the impacted apps.
-
-You must make sure that you clear the cache by creating and setting a new temporary policy. If you reuse the same policy, the Package Inspector will fail.
-
-**To increase your journal size**
-1. Open a command-prompt window, and then type:
- ``` syntax
- fsutil usn createjournal m=0x8000000 a=0x800000 C:
- ```
- Where the "m" value needs to be increased. We recommend that you change the value to at least 4 times the default value of m=0x2000000.
-2. Re-run the failed app installation(s).
-
-**To clear your cached data and re-scan your apps**
-
-1. Delete the SIPolicy.p7b file from the C:\\Windows\\System32\\CodeIntegrity\\ folder.
-2. Create a new temporary Code Integrity Policy to clear all of the cached data by starting Windows Powershell as an administrator and typing:
- ``` syntax
- mkdir temp
- cp C:\Windows\System32\PackageInspector.exe .\temp\
- New-CIPolicy -l Hash -f .\DenyPackageInspector.xml -s .\temp -u -deny
- ConvertFrom-CIPolicy .\DenyPackageInspector.xml .\DenyPackageInspector.bin
- cp .\DenyPackageInspector.bin C:\Windows\System32\SIPolicy.p7b
- ```
-3. Restart your device and follow the steps in the [Create a catalog file for unsigned apps](#create-a-catalog-file-for-unsigned-apps) section.
-
-## Related topics
-
-[Download SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283)
diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md
index 805ac84dfc..fd1ffe2dcd 100644
--- a/windows/keep-secure/guidance-and-best-practices-edp.md
+++ b/windows/keep-secure/guidance-and-best-practices-edp.md
@@ -23,6 +23,7 @@ This section includes info about the enlightened Microsoft apps, including how t
## In this section
|Topic |Description |
|------|------------|
+|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif b/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif
new file mode 100644
index 0000000000..fb60cd5599
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png
new file mode 100644
index 0000000000..93e5e8e098
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png
new file mode 100644
index 0000000000..7aad6b6a7b
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png
new file mode 100644
index 0000000000..2b6c1394b9
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png
new file mode 100644
index 0000000000..65508e5cf4
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png
new file mode 100644
index 0000000000..4653a66f29
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png
new file mode 100644
index 0000000000..b4e379a357
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png
new file mode 100644
index 0000000000..c725fd4f55
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png
new file mode 100644
index 0000000000..999303a2d6
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png
new file mode 100644
index 0000000000..b80fc69397
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png
new file mode 100644
index 0000000000..412f425ccf
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png
new file mode 100644
index 0000000000..b80fc69397
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png
new file mode 100644
index 0000000000..b2f6d3e1e2
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png
new file mode 100644
index 0000000000..8dda5403cf
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png b/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png
new file mode 100644
index 0000000000..e96b26abe1
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png differ
diff --git a/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif b/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif
new file mode 100644
index 0000000000..d8a4d99dd2
Binary files /dev/null and b/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif differ
diff --git a/windows/keep-secure/images/edp-sccm-add-network-domain.png b/windows/keep-secure/images/edp-sccm-add-network-domain.png
new file mode 100644
index 0000000000..505a3ca5fe
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-add-network-domain.png differ
diff --git a/windows/keep-secure/images/edp-sccm-addapplockerfile.png b/windows/keep-secure/images/edp-sccm-addapplockerfile.png
new file mode 100644
index 0000000000..36d4508747
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-addapplockerfile.png differ
diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/edp-sccm-adddesktopapp.png
index 5ceed9bc66..18b1970f81 100644
Binary files a/windows/keep-secure/images/edp-sccm-adddesktopapp.png and b/windows/keep-secure/images/edp-sccm-adddesktopapp.png differ
diff --git a/windows/keep-secure/images/edp-sccm-additionalsettings.png b/windows/keep-secure/images/edp-sccm-additionalsettings.png
new file mode 100644
index 0000000000..3bd31c8e27
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-additionalsettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/edp-sccm-adduniversalapp.png
index bd5009afdc..cd8b78c72d 100644
Binary files a/windows/keep-secure/images/edp-sccm-adduniversalapp.png and b/windows/keep-secure/images/edp-sccm-adduniversalapp.png differ
diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/edp-sccm-appmgmt.png
index 0a9d23f405..52a6ef5fd9 100644
Binary files a/windows/keep-secure/images/edp-sccm-appmgmt.png and b/windows/keep-secure/images/edp-sccm-appmgmt.png differ
diff --git a/windows/keep-secure/images/edp-sccm-corp-identity.png b/windows/keep-secure/images/edp-sccm-corp-identity.png
new file mode 100644
index 0000000000..940d60acf1
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-corp-identity.png differ
diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/edp-sccm-devicesettings.png
index 3056cc1c96..1573ef06d7 100644
Binary files a/windows/keep-secure/images/edp-sccm-devicesettings.png and b/windows/keep-secure/images/edp-sccm-devicesettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-dra.png b/windows/keep-secure/images/edp-sccm-dra.png
new file mode 100644
index 0000000000..d823ecb78d
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-dra.png differ
diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/edp-sccm-generalscreen.png
index 788cef4b8a..e0013f5b2d 100644
Binary files a/windows/keep-secure/images/edp-sccm-generalscreen.png and b/windows/keep-secure/images/edp-sccm-generalscreen.png differ
diff --git a/windows/keep-secure/images/edp-sccm-network-domain.png b/windows/keep-secure/images/edp-sccm-network-domain.png
new file mode 100644
index 0000000000..0fff54b6d2
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-network-domain.png differ
diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/edp-sccm-optsettings.png
index d786610c07..65365356da 100644
Binary files a/windows/keep-secure/images/edp-sccm-optsettings.png and b/windows/keep-secure/images/edp-sccm-optsettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-primarydomain2.png b/windows/keep-secure/images/edp-sccm-primarydomain2.png
deleted file mode 100644
index 5cb9990baf..0000000000
Binary files a/windows/keep-secure/images/edp-sccm-primarydomain2.png and /dev/null differ
diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/edp-sccm-summaryscreen.png
index 2e9d7b138b..2cbb827d7a 100644
Binary files a/windows/keep-secure/images/edp-sccm-summaryscreen.png and b/windows/keep-secure/images/edp-sccm-summaryscreen.png differ
diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/edp-sccm-supportedplat.png
index dc72f15692..7add4926a9 100644
Binary files a/windows/keep-secure/images/edp-sccm-supportedplat.png and b/windows/keep-secure/images/edp-sccm-supportedplat.png differ
diff --git a/windows/keep-secure/images/intune-add-applocker-xml-file.png b/windows/keep-secure/images/intune-add-applocker-xml-file.png
new file mode 100644
index 0000000000..8829c070a6
Binary files /dev/null and b/windows/keep-secure/images/intune-add-applocker-xml-file.png differ
diff --git a/windows/keep-secure/images/intune-add-classic-apps.png b/windows/keep-secure/images/intune-add-classic-apps.png
new file mode 100644
index 0000000000..bf4e5792c1
Binary files /dev/null and b/windows/keep-secure/images/intune-add-classic-apps.png differ
diff --git a/windows/keep-secure/images/intune-add-desktop-app.png b/windows/keep-secure/images/intune-add-desktop-app.png
deleted file mode 100644
index 8d8186398a..0000000000
Binary files a/windows/keep-secure/images/intune-add-desktop-app.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-add-uwp-apps.png b/windows/keep-secure/images/intune-add-uwp-apps.png
new file mode 100644
index 0000000000..933cd9addf
Binary files /dev/null and b/windows/keep-secure/images/intune-add-uwp-apps.png differ
diff --git a/windows/keep-secure/images/intune-add-uwp.png b/windows/keep-secure/images/intune-add-uwp.png
new file mode 100644
index 0000000000..7b226b7edd
Binary files /dev/null and b/windows/keep-secure/images/intune-add-uwp.png differ
diff --git a/windows/keep-secure/images/intune-addapps.png b/windows/keep-secure/images/intune-addapps.png
index f6569723de..52e3983adf 100644
Binary files a/windows/keep-secure/images/intune-addapps.png and b/windows/keep-secure/images/intune-addapps.png differ
diff --git a/windows/keep-secure/images/intune-applocker-before-begin.png b/windows/keep-secure/images/intune-applocker-before-begin.png
new file mode 100644
index 0000000000..3f6a79c8d6
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-before-begin.png differ
diff --git a/windows/keep-secure/images/intune-applocker-permissions.png b/windows/keep-secure/images/intune-applocker-permissions.png
new file mode 100644
index 0000000000..901c861793
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-permissions.png differ
diff --git a/windows/keep-secure/images/intune-applocker-publisher-with-app.png b/windows/keep-secure/images/intune-applocker-publisher-with-app.png
new file mode 100644
index 0000000000..29f08e03f0
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-publisher-with-app.png differ
diff --git a/windows/keep-secure/images/intune-applocker-publisher.png b/windows/keep-secure/images/intune-applocker-publisher.png
new file mode 100644
index 0000000000..42da98610a
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-publisher.png differ
diff --git a/windows/keep-secure/images/intune-applocker-select-apps.png b/windows/keep-secure/images/intune-applocker-select-apps.png
new file mode 100644
index 0000000000..38ba06d474
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-select-apps.png differ
diff --git a/windows/keep-secure/images/intune-corporate-identity.png b/windows/keep-secure/images/intune-corporate-identity.png
new file mode 100644
index 0000000000..4ffb6223ea
Binary files /dev/null and b/windows/keep-secure/images/intune-corporate-identity.png differ
diff --git a/windows/keep-secure/images/intune-createnewpolicy.png b/windows/keep-secure/images/intune-createnewpolicy.png
index 02a989d8ae..26ab066343 100644
Binary files a/windows/keep-secure/images/intune-createnewpolicy.png and b/windows/keep-secure/images/intune-createnewpolicy.png differ
diff --git a/windows/keep-secure/images/intune-data-recovery.png b/windows/keep-secure/images/intune-data-recovery.png
index 0913c7a22b..32d7282110 100644
Binary files a/windows/keep-secure/images/intune-data-recovery.png and b/windows/keep-secure/images/intune-data-recovery.png differ
diff --git a/windows/keep-secure/images/intune-edpsettings.png b/windows/keep-secure/images/intune-edpsettings.png
deleted file mode 100644
index 882bf0d46b..0000000000
Binary files a/windows/keep-secure/images/intune-edpsettings.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-empty-addapps.png b/windows/keep-secure/images/intune-empty-addapps.png
new file mode 100644
index 0000000000..7987e91454
Binary files /dev/null and b/windows/keep-secure/images/intune-empty-addapps.png differ
diff --git a/windows/keep-secure/images/intune-encryption-level.png b/windows/keep-secure/images/intune-encryption-level.png
deleted file mode 100644
index f094fae2f9..0000000000
Binary files a/windows/keep-secure/images/intune-encryption-level.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-generalinfo.png b/windows/keep-secure/images/intune-generalinfo.png
new file mode 100644
index 0000000000..c740cad913
Binary files /dev/null and b/windows/keep-secure/images/intune-generalinfo.png differ
diff --git a/windows/keep-secure/images/intune-local-security-export.png b/windows/keep-secure/images/intune-local-security-export.png
new file mode 100644
index 0000000000..56b27c2387
Binary files /dev/null and b/windows/keep-secure/images/intune-local-security-export.png differ
diff --git a/windows/keep-secure/images/intune-local-security-snapin-updated.png b/windows/keep-secure/images/intune-local-security-snapin-updated.png
new file mode 100644
index 0000000000..d794b8976c
Binary files /dev/null and b/windows/keep-secure/images/intune-local-security-snapin-updated.png differ
diff --git a/windows/keep-secure/images/intune-local-security-snapin.png b/windows/keep-secure/images/intune-local-security-snapin.png
new file mode 100644
index 0000000000..492f3fc50a
Binary files /dev/null and b/windows/keep-secure/images/intune-local-security-snapin.png differ
diff --git a/windows/keep-secure/images/intune-namedescription.png b/windows/keep-secure/images/intune-namedescription.png
deleted file mode 100644
index 874b8b52a5..0000000000
Binary files a/windows/keep-secure/images/intune-namedescription.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-network-detection-boxes.png b/windows/keep-secure/images/intune-network-detection-boxes.png
new file mode 100644
index 0000000000..256b586c70
Binary files /dev/null and b/windows/keep-secure/images/intune-network-detection-boxes.png differ
diff --git a/windows/keep-secure/images/intune-networklocation.png b/windows/keep-secure/images/intune-networklocation.png
index 3b1ec39b7c..058aaec38e 100644
Binary files a/windows/keep-secure/images/intune-networklocation.png and b/windows/keep-secure/images/intune-networklocation.png differ
diff --git a/windows/keep-secure/images/intune-optional-settings.png b/windows/keep-secure/images/intune-optional-settings.png
new file mode 100644
index 0000000000..2d2bf90bb1
Binary files /dev/null and b/windows/keep-secure/images/intune-optional-settings.png differ
diff --git a/windows/keep-secure/images/intune-primary-domain.png b/windows/keep-secure/images/intune-primary-domain.png
deleted file mode 100644
index 72105fab7c..0000000000
Binary files a/windows/keep-secure/images/intune-primary-domain.png and /dev/null differ
diff --git a/windows/keep-secure/images/intune-protection-mode.png b/windows/keep-secure/images/intune-protection-mode.png
new file mode 100644
index 0000000000..80804f7946
Binary files /dev/null and b/windows/keep-secure/images/intune-protection-mode.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample1.png b/windows/keep-secure/images/localaccounts-proc1-sample1.png
new file mode 100644
index 0000000000..e70fa02c92
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample1.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample2.png b/windows/keep-secure/images/localaccounts-proc1-sample2.png
new file mode 100644
index 0000000000..085993f92c
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample2.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample3.png b/windows/keep-secure/images/localaccounts-proc1-sample3.png
new file mode 100644
index 0000000000..282cdb729d
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample3.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample4.png b/windows/keep-secure/images/localaccounts-proc1-sample4.png
new file mode 100644
index 0000000000..89fc916400
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample4.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample5.png b/windows/keep-secure/images/localaccounts-proc1-sample5.png
new file mode 100644
index 0000000000..d8d5af1336
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample5.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample6.png b/windows/keep-secure/images/localaccounts-proc1-sample6.png
new file mode 100644
index 0000000000..ba3f15f597
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample6.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample1.png b/windows/keep-secure/images/localaccounts-proc2-sample1.png
new file mode 100644
index 0000000000..2d44e29e1b
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc2-sample1.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample2.png b/windows/keep-secure/images/localaccounts-proc2-sample2.png
new file mode 100644
index 0000000000..89136d1ba0
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc2-sample2.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample3.png b/windows/keep-secure/images/localaccounts-proc2-sample3.png
new file mode 100644
index 0000000000..f2d3a7596b
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc2-sample3.png differ
diff --git a/windows/keep-secure/images/oma-uri.png b/windows/keep-secure/images/oma-uri.png
new file mode 100644
index 0000000000..00cfe55d01
Binary files /dev/null and b/windows/keep-secure/images/oma-uri.png differ
diff --git a/windows/keep-secure/images/security-identifider-architecture.jpg b/windows/keep-secure/images/security-identifider-architecture.jpg
new file mode 100644
index 0000000000..cd7d341065
Binary files /dev/null and b/windows/keep-secure/images/security-identifider-architecture.jpg differ
diff --git a/windows/keep-secure/images/timeline.png b/windows/keep-secure/images/timeline.png
index 83ac56f312..ac657b2a12 100644
Binary files a/windows/keep-secure/images/timeline.png and b/windows/keep-secure/images/timeline.png differ
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index b605acb372..08feae0e2e 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -18,17 +18,18 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| - | - |
| [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
-| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
| [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. |
| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. |
| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
+| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
-| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
+| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
## Related topics
diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
new file mode 100644
index 0000000000..f0e196b799
--- /dev/null
+++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -0,0 +1,78 @@
+---
+title: Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)
+description: Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+author: brianlic-msft
+---
+
+# Introduction to Device Guard: virtualization-based security and code integrity policies
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *code integrity policies*.
+
+Like the operating system, code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware.
+
+To increase the security level offered by code integrity policies, Device Guard can leverage advanced hardware features on hardware that supports them. These features include CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT). In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container. The following table provides more information about how Device Guard and these hardware features can help protect against various threats.
+
+For an overview of the process of deploying Device Guard features, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+## How Device Guard features help protect against threats
+
+The following table lists security threats and describes the corresponding Device Guard features:
+
+| Security threat in the enterprise | How a Device Guard feature helps protect against the threat |
+| --------------------------------- | ----------------------------------------------------------- |
+| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**: You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
-
-
-
- Option
- Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.
**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
+| **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**: Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. |
+| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**: This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.
**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
+| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**: With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.
**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
+| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.
**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
+
+In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md).
+
+## Tools for managing Device Guard features
+
+You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
+
+
+
+- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files.
+
+ - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Device Guard features help protect against threats](#how-device-guard-features-help-protect-against-threats), earlier in this topic.
+ - For information about using Group Policy as a deployment tool, see:
[Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy)
[Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
+
+- **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager).
+
+- **Microsoft Intune**. In a future release of Microsoft Intune, Microsoft is considering including features that will support the deployment and management of code integrity policies and catalog files.
+
+- **Windows PowerShell**. You can use Windows PowerShell to create and service code integrity policies. For more information, see [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) and [Configurable Code Integrity Policy for Windows PowerShell](https://technet.microsoft.com/library/mt634481.aspx).
+
+These options provide the same experience you're used to in order to manage your existing enterprise management solutions.
+
+For more information about the deployment of Device Guard features, see:
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
+
+## Other features that relate to Device Guard
+
+### Device Guard with AppLocker
+
+Although [AppLocker](applocker-overview.md) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
+
+> **Note** One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
+
+AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+
+### Device Guard with Credential Guard
+
+Another Windows 10 feature that employs VBS is [Credential Guard](credential-guard.md). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](credential-guard.md).
+
+Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats.
+
+In addition to the client-side enabling of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. For more information, see the [Additional mitigations](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#additional-mitigations) section in “Protect derived domain credentials with Credential Guard.”
+
diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
index 2f82d6927e..5dfb3959f9 100644
--- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
@@ -84,7 +84,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
-> **Note** Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
+> **Note** Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
## View deep analysis report
@@ -121,7 +121,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
-5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
+5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
> **Note** If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
index 4778e194e5..0a7f63c71b 100644
--- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -106,7 +106,6 @@ Use the search bar to look for specific alerts or files associated with the mach
You can also filter by:
-- Signed or unsigned files
- Detections mode: displays Windows ATP Alerts and detections
- Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays "behaviors" (including "detections"), and all reported events
diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md
new file mode 100644
index 0000000000..3e94ade971
--- /dev/null
+++ b/windows/keep-secure/local-accounts.md
@@ -0,0 +1,495 @@
+---
+title: Local Accounts (Windows 10)
+description: Local Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Local Accounts
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller.
+
+**Did you mean…**
+
+- [Active Directory Accounts](active-directory-accounts.md)
+
+- [Microsoft Accounts](microsoft-accounts.md)
+
+## About local user accounts
+
+
+Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.
+
+This topic describes the following:
+
+- [Default local user accounts](#sec-default-accounts)
+
+ - [Administrator account](#sec-administrator)
+
+ - [Guest Account](#sec-guest)
+
+ - [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant)
+
+- [Default local system accounts](#sec-localsystem)
+
+- [How to manage local accounts](#sec-manage-accounts)
+
+ - [Restrict and protect local accounts with administrative rights](#sec-restrict-protect-accounts)
+
+ - [Enforce local account restrictions for remote access](#sec-enforce-account-restrictions)
+
+ - [Deny network logon to all local Administrator accounts](#sec-deny-network-logon)
+
+ - [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords)
+
+For information about security principals, see [Security Principals](security-principals.md).
+
+## Default local user accounts
+
+
+The default local user accounts are built-in accounts that are created automatically when you install the Windows Server operating system on a stand-alone server or member server. The **Applies To** list at the beginning of this article designates the Windows operating systems to which this topic applies.
+
+After the Windows Server operating system is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.
+
+Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this topic.
+
+The default local user accounts that are provided include the Administrator account, Guest account and HelpAssistant account. Each of these default local user accounts is described in the following sections.
+
+### Administrator account
+
+The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.
+
+For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. The Administrator account can also be used take control of local resources at any time simply by changing the user rights and permissions.
+
+The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
+
+The default Administrator account is initially installed differently for Windows Server operating systems, and the Windows client operating systems. The following table provides a comparison.
+
+| Default restriction | Windows Server operating systems | Windows client operating systems |
+|---------------------|----------------------------------|----------------------------------|
+| Administrator account is disabled on installation | No | Yes |
+| Administrator account is set up on first sign-in | Yes | No, keep disabled |
+| Administrator account is used to set up the local server or client computer | Yes | No, use a local user account with **Run as administrator** to obtain administrative rights |
+| Administrator account requires a strong password when it is enabled | Yes | Yes |
+| Administrator account can be disabled, locked out, or renamed | Yes | Yes |
+
+In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
+
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+
+**Account group membership**
+
+By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.
+
+The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed or disabled.
+
+**Security considerations**
+
+Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to to the server or client computer.
+
+You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](http://technet.microsoft.com/library/cc732112.aspx) and [Rename a local user account](http://technet.microsoft.com/library/cc725595.aspx).
+
+As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](https://technet.microsoft.com/en-us/library/cc732200.aspx).
+
+In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
+
+In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx).
+
+**Note**
+Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
+
+
+
+**Important**
+Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
+
+
+
+### Guest account
+
+The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
+
+**Account group membership**
+
+By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
+
+**Security considerations**
+
+When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
+
+When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right.
+
+In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+
+### HelpAssistant account (installed by using a Remote Assistance session)
+
+The default HelpAssistant account is enabled when a Windows Remote Assistance session is run. The Windows Remote Assistance session can be used to connect from the server to another computer running the Windows operating system. For solicited remote assistance, a user initiates a Windows Remote Assistance session, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance.
+
+After the user’s invitation for a Windows Remote Assistance session is accepted, the default HelpAssistant account is automatically created. The HelpAssistant account provides limited access to the computer to the person who provides assistance. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. The HelpAssistant account is automatically deleted after there are no Remote Assistance requests are pending.
+
+The security identifiers (SIDs) that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled.
+
+- SID: S-1-5-14, display name Remote Interactive Logon. This group includes all users who sign in to the computer by using Remote Desktop Connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default.
+
+## Default local system accounts
+
+
+The system account and the Administrator account of the Administrators group have the same file rights and permissions, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The system account was designed for that purpose. It is an internal account that does not show up in User Manager, it cannot be added to any groups, and it cannot have user rights assigned to it.
+
+On the other hand, the system account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the system account is granted Full Control permissions to all files on an NTFS volume. Here the system account has the same functional rights and permissions as the Administrator account.
+
+**Note**
+To grant the account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file, but we do not recommend removing them.
+
+
+
+## How to manage local user accounts
+
+
+The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
+
+You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.
+
+You cannot use Local Users and Groups to view local users and groups after a member server is used as a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
+
+**Note**
+You use Active Directory Users and Computers to manage users and groups in Active Directory.
+
+
+
+### Restrict and protect local accounts with administrative rights
+
+An administrator can use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called "lateral movement".
+
+The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor. When you want to perform an administrative task, for example, to install a new program or to change a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
+
+The other approaches that can be used to restrict and protect user accounts with administrative rights include:
+
+- Enforce local account restrictions for remote access.
+
+- Deny network logon to all local Administrator accounts.
+
+- Create unique passwords for local accounts with administrative rights.
+
+Each of these approaches is described in the following sections.
+
+**Note**
+These approaches do not apply if all administrative local accounts are disabled.
+
+
+
+### Enforce local account restrictions for remote access
+
+The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you.
+
+UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
+
+In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
+
+For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
+
+For more information about UAC, see [User Account Control](user-account-control-overview.md).
+
+The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
+
+
+
+
+
+
+**To enforce local account restrictions for remote access**
+
+1. Start the **Group Policy Management** Console (GPMC).
+
+2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
+
+3. In the console tree, right-click **Group Policy Objects**, and > **New**.
+
+ 
+
+4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
+
+ 
+
+5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
+
+ 
+
+6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
+
+ 1. Navigate to the Computer Configuration\\Policies\\Windows Settings, and > **Security Options**.
+
+ 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**.
+
+ 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**.
+
+7. Ensure that the local account restrictions are applied to network interfaces by doing the following:
+
+ 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**.
+
+ 2. Right-click **Registry**, and > **New** > **Registry Item**.
+
+ 
+
+ 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
+
+ 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**.
+
+ 5. Click (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
+
+ 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**.
+
+ 7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value.
+
+ 8. In the **Value data** box, ensure that the value is set to **0**.
+
+ 9. Verify this configuration, and > **OK**.
+
+ 
+
+8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
+
+ 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path.
+
+ 2. Right-click the **Workstations** OU, and > **Link an existing GPO**.
+
+ 
+
+ 3. Select the GPO that you just created, and > **OK**.
+
+9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
+
+10. Create links to all other OUs that contain workstations.
+
+11. Create links to all other OUs that contain servers.
+
+### Deny network logon to all local Administrator accounts
+
+Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot be used to compromise additional computers that use the same credentials.
+
+**Note**
+In order to perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
+
+
+
+The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**To deny network logon to all local administrator accounts**
+
+1. Start the **Group Policy Management** Console (GPMC).
+
+2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
+
+3. In the console tree, right-click **Group Policy Objects**, and > **New**.
+
+4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
+
+ 
+
+5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
+
+ 
+
+6. Configure the user rights to deny network logons for administrative local accounts as follows:
+
+ 1. Navigate to the Computer Configuration\\Policies\\Windows Settings, and > **User Rights Assignment**.
+
+ 2. Double-click **Deny access to this computer from the network**, and > **Define these policy settings**.
+
+ 3. Click **Add User or Group**, type the name of the default Administrator account, and > **OK**. The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+
+ 
+
+ **Important**
+ In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolved to a name that is underlined, includes a computer name, or includes the domain, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator to prevent blocking domain accounts in that group.
+
+
+
+ 4. For any additional local accounts in the Administrators group on all of the workstations that you are configuring, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as described in the previous step, and then click **OK**.
+
+7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
+
+ 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
+
+ 2. Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**.
+
+ 3. Click **Add User or Group**, type the user name of the default Administrator account, and > **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+
+ **Important**
+ In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group.
+
+
+
+ 4. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and > **OK**.
+
+8. Link the GPO to the first **Workstations** OU as follows:
+
+ 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path.
+
+ 2. Right-click the **Workstations** OU, and > **Link an existing GPO**.
+
+ 3. Select the GPO that you just created, and > **OK**.
+
+9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
+
+10. Create links to all other OUs that contain workstations.
+
+11. Create links to all other OUs that contain servers.
+
+ **Note**
+ You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
+
+
+
+### Create unique passwords for local accounts with administrative rights
+
+Passwords should be unique per individual account. While this is generally true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.
+
+Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hampers the ability of malicious users to use password hashes of those accounts to compromise other computers.
+
+Passwords can be randomized by:
+
+- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools.
+
+- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789).
+
+ **Note**
+ This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage.
+
+
+
+- Create and implement a custom script or solution to randomize local account passwords.
+
+## See also
+
+
+The following resources provide additional information about technologies that are related to local accounts.
+
+- [Security Principals](security-principals.md)
+
+- [Security Identifiers](security-identifiers.md)
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
new file mode 100644
index 0000000000..56b79bc283
--- /dev/null
+++ b/windows/keep-secure/mandatory-settings-for-wip.md
@@ -0,0 +1,32 @@
+---
+title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
+description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
+keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10 Insider Preview
+- Windows 10 Mobile Preview
+
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+
+This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
+
+>**Important**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise.
+
+
+|Task |Description |
+|------------------------------------|--------------------------|
+|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
+|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.|
+|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
+|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
+|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
+|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. |
\ No newline at end of file
diff --git a/windows/keep-secure/microsoft-accounts.md b/windows/keep-secure/microsoft-accounts.md
new file mode 100644
index 0000000000..6bea7ac9aa
--- /dev/null
+++ b/windows/keep-secure/microsoft-accounts.md
@@ -0,0 +1,160 @@
+---
+title: Microsoft Accounts (Windows 10)
+description: Microsoft Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Microsoft Accounts
+
+**Applies to**
+- Windows 10
+
+This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
+
+Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
+
+There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
+
+When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
+
+**Note**
+This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
+
+
+
+## How a Microsoft account works
+
+
+The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
+
+When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
+
+**Important**
+Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
+
+
+
+### How Microsoft accounts are created
+
+To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
+
+Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
+
+There are two methods for creating a Microsoft account:
+
+- **Use an existing email address**.
+
+ Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
+
+- **Sign up for a Microsoft email address**.
+
+ Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts.
+
+### How the Microsoft account information is safeguarded
+
+Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services.
+
+- **Strong password is required**.
+
+ Blank passwords are not allowed.
+
+ For more information, see [Microsoft Account Security Overview](http://www.microsoft.com/account/security/default.aspx).
+
+- **Secondary proof of identity is required**.
+
+ Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings.
+
+- **All user profile data is encrypted on the client before it is transmitted to the cloud**.
+
+ User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol.
+
+**Microsoft account security information is added**.
+
+Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date.
+
+## The Microsoft account in the enterprise
+
+
+Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
+
+- **Download Windows Store apps**:
+
+ If your enterprise chooses to distribute software through the Windows Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
+
+- **Single sign-on**:
+
+ Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Windows Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Windows Store apps or websites, so that these credentials roam across any devices running these supported versions.
+
+- **Personalized settings synchronization**:
+
+ Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device.
+
+- **App synchronization**:
+
+ Windows Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
+
+- **Integrated social media services**:
+
+ Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
+
+### Managing the Microsoft account in the domain
+
+Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise:
+
+- [Restrict the use of the Microsoft account](#bkmk-restrictuse)
+
+- [Configure connected accounts](#bkmk-cfgconnectedaccounts)
+
+- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts)
+
+- [Audit account activity](#bkmk-audit)
+
+- [Perform password resets](#bkmk-passwordresets)
+
+- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage)
+
+### Restrict the use of the Microsoft account
+
+If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+
+The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
+
+1. Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+2. Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
+
+### Configure connected accounts
+
+Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices.
+
+Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**.
+
+**Note**
+Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
+
+
+
+### Provision Microsoft accounts in the enterprise
+
+Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
+
+### Audit account activity
+
+Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain.
+
+### Perform password resets
+
+Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com).
+
+### Restrict app installation and usage
+
+Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+## See also
+
+- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 91db7537e8..1bc9344b78 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -43,15 +43,4 @@ Internet connectivity on endpoints is also required. See [Configure Windows Defe
Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
-### Deployment channel operating system requirements
-You can choose to onboard endpoints with a scheduled Group Policy (GP) or System Center Configuration Manager (SCCM) update (using a configuration package that you download from the portal or during the service onboarding wizard), or by manually running a script to modify the registry.
-
-The following describes the minimum operating system or software version
-required for each deployment channel.
-
-Deployment channel | Minimum server requirements
-:---|:---
-Group Policy settings | Windows Server 2008 R2
-System Center Configuration Manager | SCCM 2012
-Manual (script) | No minimum requirements
diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 8babe1f172..0000000000
--- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Monitor Windows Defender ATP onboarding
-description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
-keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
----
-
-# Monitor Windows Defender Advanced Threat Protection onboarding
-
-**Applies to:**
-
-- Windows 10 Insider Preview Build 14322 or later
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
-
-You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
-
-Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
-
-## Monitor with the portal
-
-1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
-
-2. Click **Machines view**.
-
-3. Verify that endpoints are appearing.
-
-
-> **Note** It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
-
-## Monitor with System Center Configuration Manager
-
-Monitoring with SCCM consists of two parts:
-
-1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
-
-2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
-
-**To confirm the configuration package has been correctly deployed:**
-
-1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
-
-2. Click **Overview** and then **Deployments**.
-
-3. Click on the deployment with the package name.
-
-4. Review the status indicators under **Completion Statistics** and **Content Status**.
-
-If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
-
-
-
-## Related topics
-
-- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
index eaaa736c69..942dfa02ee 100644
--- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -14,28 +14,16 @@ author: iaanw
**Applies to:**
-- Windows 10 TAP program
+- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
You need to onboard to Windows Defender ATP before you can use the service.
-
-
-
-
## In this section
Topic | Description
:---|:---
-[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn how you can use the configuration package to configure endpoints in your enterprise.
+[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
-[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
-[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
diff --git a/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
new file mode 100644
index 0000000000..f915647f15
--- /dev/null
+++ b/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -0,0 +1,101 @@
+---
+title: Optional - Create a code signing certificate for code integrity policies (Windows 10)
+description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Device Guard in Windows 10.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+author: brianlic-msft
+---
+
+# Optional: Create a code signing certificate for code integrity policies
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+As you deploy code integrity policies (part of Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md).
+
+If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
+
+1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
+
+2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
+
+ 
+
+ Figure 1. Manage the certificate templates
+
+3. In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**.
+
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
+
+5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **DG Catalog Signing Certificate**.
+
+6. On the **Request Handling** tab, select the **Allow private key to be exported** check box.
+
+7. On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**.
+
+8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
+
+ 
+
+ Figure 2. Select constraints on the new template
+
+9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
+
+10. On the **Subject Name** tab, select **Supply in the request**.
+
+11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.
+
+12. Click **OK** to create the template, and then close the Certificate Template Console.
+
+When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:
+
+1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
+
+ 
+
+ Figure 3. Select the new certificate template to issue
+
+ A list of available templates to issue appears, including the template you just created.
+
+2. Select the DG Catalog signing certificate, and then click **OK**.
+
+Now that the template is available to be issued, you must request one from the computer running Windows 10 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
+
+1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
+
+2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**.
+
+3. Click **Next** twice to get to the certificate selection list.
+
+4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
+
+ 
+
+ Figure 4. Get more information for your code signing certificate
+
+5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.**
+
+6. Enroll and finish.
+
+> **Note** If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
+
+This certificate must be installed in the user’s personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
+
+1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
+
+2. Click **Next**, and then select **Yes, export the private key**.
+
+3. Choose the default settings, and then select **Export all extended properties**.
+
+4. Set a password, select an export path, and then select **DGCatSigningCert.pfx** as the file name.
+
+When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
+
+## Related topics
+
+- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
+
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
index 0ca5b7cbd1..abd098560f 100644
--- a/windows/keep-secure/overview-create-edp-policy.md
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -1,6 +1,6 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
-description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.prod: w10
ms.mktglfcycl: explore
@@ -17,13 +17,14 @@ author: eross-msft
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
new file mode 100644
index 0000000000..2715141f20
--- /dev/null
+++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -0,0 +1,56 @@
+---
+title: Planning and getting started on the Device Guard deployment process (Windows 10)
+description: To help you plan and begin the initial test stages of a deployment of Microsoft Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+author: brianlic-msft
+---
+
+# Planning and getting started on the Device Guard deployment process
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
+
+**Planning**
+
+1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
+
+2. **Group devices by degree of control needed**. Group devices according to the table in [Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+
+3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create:
+ - How standardized is the hardware?
This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
+
+ - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
+
+ - What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management.
+
+ - Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy.
+
+4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
+
+**Getting started on the deployment process**
+
+1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
+
+2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly-distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy, and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. For more information, see:
+ - [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
+ - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
+
+3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
+
+4. **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md). In later steps, you can merge the catalog file's signature into your code integrity policy, so that applications in the catalog will be allowed by the policy.
+
+6. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. For more information, see:
+ - [Create a code integrity policy that captures audit information from the event log](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-that-captures-audit-information-from-the-event-log)
+ - [Merge code integrity policies](deploy-code-integrity-policies-steps.md#merge-code-integrity-policies)
+
+7. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. For more information, see:
+ - [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies)
+ - [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
+
+8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
+
diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
index 4eaf0224ec..6363ce613d 100644
--- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection portal overview
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
-keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, client onboarding, advanced attacks
+keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -44,12 +44,12 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
-(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Client onboarding**.
+(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Endpoint Management**.
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period.
-**Client onboarding**| Allows you to download the onboarding configuration package.
+**Endpoint Management**| Allows you to download the onboarding configuration package.
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index e3da331f91..9e052274d5 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -27,7 +27,7 @@ You’ll need this software to run EDP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1511 or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager Technical Preview version 1605 or later
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including:
@@ -60,7 +60,7 @@ EDP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected Apps** list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your EDP-protected data.
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
- VT-x (Intel) or
- AMD-V
And:
- Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+
+
+
+> **Important** The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
+
+## Device Guard requirements for improved security
+
+The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+
+### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511)
+
+| Protections for Improved Security - requirement | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+## Device Guard deployment in different scenarios: types of devices
+
+Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization.
+
+| **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** |
+|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
+| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. |
+| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
- Code integrity policies in enforced mode, with UMCI enabled. |
+| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
- Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. |
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A |
+
+## Reviewing your applications: application signing and catalog files
+
+Typically, code integrity policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the code integrity policy to recognize the applications as signed.
+
+Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your code integrity policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of your code integrity policies (compared to using catalog signing).
+
+To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
+
+- Using the Windows Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
+
+- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
+
+- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
+
+To use catalog signing, you can choose from the following options:
+
+- Use the Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+
+- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+
+### Catalog files
+
+Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by code integrity policies in the same way as any other signed application.
+
+Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
+
+After you have created and signed your catalog files, you can configure your code integrity policies to trust the signer or signing certificate of those files.
+
+> **Note** Package Inspector only works on operating systems that support Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+
+For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md).
+
+## Code integrity policy formats and signing
+
+When you generate a code integrity policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file.
+
+We recommend that you keep the original XML file for use when you need to merge the code integrity policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
+
+When the code integrity policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy.
+
+## Related topics
+
+- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
+
+
diff --git a/windows/keep-secure/security-identifiers.md b/windows/keep-secure/security-identifiers.md
new file mode 100644
index 0000000000..72f2b8e95b
--- /dev/null
+++ b/windows/keep-secure/security-identifiers.md
@@ -0,0 +1,279 @@
+---
+title: Security identifiers (Windows 10)
+description: Security identifiers
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Security identifiers
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
+
+## What are security identifiers?
+
+A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
+
+Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
+
+Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
+
+In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
+
+SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
+
+The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic.
+
+## How security identifiers work
+
+Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused.
+
+The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services.
+
+For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise.
+
+SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals.
+
+## Security identifier architecture
+
+A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
+
+
+
+The individual values of a SID are described in the following table.
+
+| Comment | Description |
+| - | - |
+| Revision | Indicates the version of the SID structure that is used in a particular SID. |
+| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). |
+| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. |
+
+The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation:
+```
+S-R-X-Y1-Y2-Yn-1-Yn
+```
+
+In this notation, the components of a SID are represented as shown in the following table.
+
+| Comment | Description |
+| - | - |
+| S | Indicates that the string is a SID |
+| R | Indicates the revision level |
+| X | Indicates the identifier authority value |
+| Y | Represents a series of subauthority values, where *n* is the number of values |
+
+The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier.
+
+The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
+
+For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
+
+```
+S-1-5-32-544
+```
+
+This SID has four components:
+
+- A revision level (1)
+
+- An identifier authority value (5, NT Authority)
+
+- A domain identifier (32, Builtin)
+
+- A relative identifier (544, Administrators)
+
+SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one.
+
+Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544.
+
+In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins):
+
+```
+S-1-5-21-1004336348-1177238915-682003330-512
+```
+
+The SID for Contoso\\Domain Admins has:
+
+- A revision level (1)
+
+- An identifier authority (5, NT Authority)
+
+- A domain identifier (21-1004336348-1177238915-682003330, Contoso)
+
+- A relative identifier (512, Domain Admins)
+
+The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.
+
+## Relative identifier allocation
+
+When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again.
+
+In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
+
+The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master.
+
+Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier.
+
+## Security identifiers and globally unique identifiers
+
+When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property.
+
+Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life.
+
+If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes.
+
+When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access.
+
+If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others.
+
+However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.
+
+## Well-known SIDs
+
+The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
+
+There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems.
+
+The following table lists the universal well-known SIDs.
+
+| Value | Universal Well-Known SID | Identifies |
+| - | - | - |
+| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.|
+| S-1-1-0 | World | A group that includes all users. |
+| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. |
+| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. |
+| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
+| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
+| S-1-3-2 | Creator Owner Server | |
+| S-1-3-3 | Creator Group Server | |
+| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. |
+| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. |
+| S-1-5 | NT Authority | A SID that represents an identifier authority. |
+| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|
+
+The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
+
+| Identifier Authority | Value | SID String Prefix |
+| - | - | - |
+| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 |
+| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
+| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
+| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
+
+The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
+
+| Relative Identifier Authority | Value | Identifier Authority |
+| - | - | - |
+| SECURITY_NULL_RID | 0 | S-1-0 |
+| SECURITY_WORLD_RID | 0 | S-1-1 |
+| SECURITY_LOCAL_RID | 0 | S-1-2 |
+| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 |
+| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 |
+
+The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs.
+
+| SID | Display Name | Description |
+| - | - | - |
+| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.|
+| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.|
+| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
+| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
+| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
+| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
+| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.|
+| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
+| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
+| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
+| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
+| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
+| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
This group includes authenticated security principals from any trusted domain, not only the current domain.|
+| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.|
+| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
+| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
+| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
+| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
+| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
+| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
+| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
+| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.|
+| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.|
+| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.|
+| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.|
+| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.|
+| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.|
+| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.|
+| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.|
+| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.|
+| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.|
+| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
+| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
+| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
+| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
+| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
+| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
+| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
+| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|
+| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.|
+| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.|
+| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
+| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.|
+| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client|
+| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.|
+| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.|
+| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
+| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
+| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
+| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.|
+| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.|
+| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.|
+| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.|
+| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.|
+| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.|
+| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.|
+| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.|
+
+The following RIDs are relative to each domain.
+
+| RID | Identifies |
+| - | - |
+| DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. |
+| DOMAIN_USER_RID_GUEST| The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.|
+| DOMAIN_GROUP_RID_USERS | A group that contains all user accounts in a domain. All users are automatically added to this group.|
+| DOMAIN_GROUP_RID_GUESTS | The group Guest account in a domain.|
+| DOMAIN_GROUP_RID_COMPUTERS | The Domain Computer group. All computers in the domain are members of this group.|
+| DOMAIN_GROUP_RID_CONTROLLERS | The Domain Controller group. All domain controllers in the domain are members of this group.|
+| DOMAIN_GROUP_RID_CERT_ADMINS | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.|
+| DOMAIN_GROUP_RID_SCHEMA_ADMINS | The schema administrators' group. Members of this group can modify the Active Directory schema.|
+| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.|
+| DOMAIN_GROUP_RID_POLICY_ADMINS| The policy administrators' group.|
+
+The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
+
+
+| RID | Identifies |
+| - | - |
+| DOMAIN_ALIAS_RID_ADMINS | Administrators of the domain.|
+| DOMAIN_ALIAS_RID_USERS | All users in the domain.|
+| DOMAIN_ALIAS_RID_GUESTS | Guests of the domain.|
+| DOMAIN_ALIAS_RID_POWER_USERS | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.|
+| DOMAIN_ALIAS_RID_BACKUP_OPS | A local group that is used to control the assignment of file backup-and-restore user rights.|
+| DOMAIN_ALIAS_RID_REPLICATOR | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.|
+| DOMAIN_ALIAS_RID_RAS_SERVERS | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.|
+
+## Changes in security identifier's functionality
+
+The following table describes changes in SID implementation in the Windows operating systems that are designated in the list.
+
+| Change | Operating system version | Description and resources |
+| - | - | - |
+| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
+| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
+
+## See also
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/security-principals.md b/windows/keep-secure/security-principals.md
new file mode 100644
index 0000000000..8bf4f7abd7
--- /dev/null
+++ b/windows/keep-secure/security-principals.md
@@ -0,0 +1,143 @@
+---
+title: Security Principals (Windows 10)
+description: Security Principals
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Security Principals
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
+
+## What are security principals?
+
+
+Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID).
+
+The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic.
+
+## How security principals work
+
+
+Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer.
+
+### Authorization and access control components
+
+The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor.
+
+**Authorization and access control process**
+
+
+
+Security principals are closely related to the following components and technologies:
+
+- [Security identifiers](#bkmk-sids)
+
+- [Access tokens](#bkmk-accesstokens)
+
+- [Security descriptors and access control lists](#bkmk-sdandacls)
+
+- [Permissions](#bkmk-permissions)
+
+### Security identifiers
+
+Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
+
+A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group.
+
+Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
+
+In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems.
+
+### Access tokens
+
+An access token is a protected object that contains information about the identity and user rights that are associated with a user account.
+
+When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups.
+
+After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization.
+
+There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread.
+
+### Security descriptors and access control lists
+
+A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs:
+
+- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access
+
+- A system access control list (SACL), which controls how access is audited
+
+You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.
+
+### Permissions
+
+Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control.
+
+Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
+
+On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
+
+For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md).
+
+### Security context in authentication
+
+A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain.
+
+In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in.
+
+To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal.
+
+This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource.
+
+The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain.
+
+## Accounts and security groups
+
+
+Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources.
+
+Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer.
+
+### User accounts
+
+A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to:
+
+- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
+
+- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource.
+
+- Audit the actions that are carried out on a user account.
+
+Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization.
+
+### Security groups
+
+A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization.
+
+Groups can be Active Directory-based or local to a particular computer:
+
+- Active Directory security groups are used to manage rights and permissions to domain resources.
+
+- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer.
+
+By using security groups to manage access control, you can:
+
+- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier.
+
+- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal.
+
+- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable.
+
+For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md).
+
+For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
+
+## See also
+
+- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
index 19a6af38ba..8bd5183126 100644
--- a/windows/keep-secure/security-technologies.md
+++ b/windows/keep-secure/security-technologies.md
@@ -15,6 +15,7 @@ Learn more about the different security technologies that are available in Windo
| Topic | Description |
|-|-|
+| [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.|
| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
diff --git a/windows/keep-secure/service-accounts.md b/windows/keep-secure/service-accounts.md
new file mode 100644
index 0000000000..e326562c98
--- /dev/null
+++ b/windows/keep-secure/service-accounts.md
@@ -0,0 +1,109 @@
+---
+title: Service Accounts (Windows 10)
+description: Service Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Service Accounts
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.
+
+## Overview
+
+
+A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.
+
+This topic contains information about the following types of service accounts:
+
+- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts)
+
+- [Group managed service accounts](#bkmk-groupmanagedserviceaccounts)
+
+- [Virtual accounts](#bkmk-virtualserviceaccounts)
+
+### Standalone managed service accounts
+
+A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.
+
+To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see [Group Managed Service Accounts Overview](https://technet.microsoft.com/library/hh831782(v=ws.11).aspx).
+
+In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
+
+- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
+
+- Unlike domain accounts in which administrators must reset manually passwords, the network passwords for these accounts are automatically reset.
+
+- You do not have to complete complex SPN management tasks to use managed service accounts.
+
+- Administrative tasks for managed service accounts can be delegated to non-administrators.
+
+### Software requirements
+
+Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
+
+### Group managed service accounts
+
+Group managed service accounts are an extension of the standalone managed service accounts, which were introduced in Windows Server 2008 R2. These are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators.
+
+The group managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password.
+
+The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group managed service account.
+
+### Practical applications
+
+Group managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group managed service account solution, services can be configured for the group managed service account principal, and the password management is handled by the operating system.
+
+By using a group managed service account, services or service administrators do not need to manage password synchronization between service instances. The group managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
+
+Failover clusters do not support group managed service account s. However, services that run on top of the Cluster service can use a group managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group managed service account or standalone managed service accounts.
+
+### Software requirements
+
+Group managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.
+
+A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group managed service accounts.
+
+A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) should always be explicitly configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.
+
+**Note**
+Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](http://technet.microsoft.com/library/dd560670(WS.10).aspx).
+
+
+
+Group managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.
+
+### Virtual accounts
+
+Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration:
+
+- The virtual account is automatically managed.
+
+- The virtual account can access the network in a domain environment.
+
+- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>.
+
+Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$.
+
+For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx).
+
+### Software requirements
+
+Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
+
+## See also
+
+
+The following table provides links to additional resources that are related to standalone managed service accounts, group managed service accounts, and virtual accounts.
+
+| Content type | References |
+|---------------|-------------|
+| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)
[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
+| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
+| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
\ No newline at end of file
diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index fb5e5d5cbf..0000000000
--- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: Windows Defender ATP service onboarding
-description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
-keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
----
-
-# Windows Defender ATP service onboarding
-
-**Applies to:**
-
-- Windows 10 Insider Preview Build 14332 or later
-- Azure Active Directory
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal.
-
-**Manage user access to the Windows Defender ATP portal**:
-
-1. When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not
- have users assigned to the Windows ATP Service application, you will
- be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
-
- > **Note** In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
-
-2. Ensure you have logged in to Microsoft Azure with an account that
- has permissions to assign users to an application in AAD. You might
- need to sign out of Microsoft Azure and then sign back in again if
- you used a different account to sign in to the Windows Defender ATP
- portal:
-
- a. On the top menu, click the signed-in user’s name.
-
- b. Click **Sign out**.
-
- 
-
- c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
-
- d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
-
-3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
-
- 
-
-4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
-
- a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
-
- 
-
- b. Scroll down in the navigation pane and click **Active Directory**.
-
- 
-
-5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
- called **Contoso**.
-
- 
-
- > **Note** You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
-
-6. Click **Applications** from the top menu bar.
-
- 
-
-7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
-
- 
-
- > **Note** The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
-
-8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
-
- 
-
- 
-
- > **Note** If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
-
-9. Select the user you want manage.
-
-10. Click **Assign**.
-
-11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal. One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages, they will go away after a short period of time.
-
- 
-
-12. To remove the user's access, click **Remove**.
-
-13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** . One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
-
- 
-
-14. To remove the access for all users, click **Manage access**. If you click **Complete** , you will not see the Windows ATP Service in the list of applications in your directory.
-
- > **Note** If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
-
-15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
-
- > **Note** You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above.
-
-When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the
-page.
-
-Follow the steps in the onboarding wizard to complete the onboarding process.
-
-At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Client onboarding** menu on the portal after you have completed the onboarding wizard.
-
-## Related topics
-- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/special-identities.md b/windows/keep-secure/special-identities.md
new file mode 100644
index 0000000000..2e3aa71e3e
--- /dev/null
+++ b/windows/keep-secure/special-identities.md
@@ -0,0 +1,1011 @@
+---
+title: Special Identities (Windows 10)
+description: Special Identities
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Special Identities
+
+**Applies to**
+- Windows Server 2016
+
+This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
+
+Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
+
+- Assign user rights to security groups in Active Directory.
+
+- Assign permissions to security groups for the purpose of accessing resources.
+
+Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
+
+Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource.
+
+For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md).
+
+The special identity groups are described in the following tables.
+
+- [Anonymous Logon](#bkmk-anonymouslogon)
+
+- [Authenticated User](#bkmk-authenticateduser)
+
+- [Batch](#bkmk-batch)
+
+- [Creator Group](#bkmk-creatorgroup)
+
+- [Creator Owner](#bkmk-creatorowner)
+
+- [Dialup](#bkmk-dialup)
+
+- [Digest Authentication](#bkmk-digestauth)
+
+- [Enterprise Domain Controllers](#bkmk-entdcs)
+
+- [Everyone](#bkmk-everyone)
+
+- [Interactive](#bkmk-interactive)
+
+- [Local Service](#bkmk-localservice)
+
+- [LocalSystem](#bkmk-localsystem)
+
+- [Network](#bkmk-network)
+
+- [Network Service](#bkmk-networkservice)
+
+- [NTLM Authentication](#bkmk-ntlmauth)
+
+- [Other Organization](#bkmk-otherorganization)
+
+- [Principal Self](#bkmk-principalself)
+
+- [Remote Interactive Logon](#bkmk-remoteinteractivelogon)
+
+- [Restricted](#bkmk-restrictedcode)
+
+- [SChannel Authentication](#bkmk-schannelauth)
+
+- [Service](#bkmk-service)
+
+- [Terminal Server User](#bkmk-terminalserveruser)
+
+- [This Organization](#bkmk-thisorg)
+
+- [Window Manager\\Window Manager Group](#bkmk-windowmanager)
+
+## Anonymous Logon
+
+
+Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
+
+
+
+
+
+
+## Authenticated Users
+
+
+Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Batch
+
+
+Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Creator Group
+
+
+The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
+
+A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Creator Owner
+
+
+The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Dialup
+
+
+Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Digest Authentication
+
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Enterprise Domain Controllers
+
+
+This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Everyone
+
+
+All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
+
+On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
+
+Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Interactive
+
+
+Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Local Service
+
+
+The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## LocalSystem
+
+
+This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Network
+
+
+This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Network Service
+
+
+The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## NTLM Authentication
+
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Other Organization
+
+
+This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Principal Self
+
+
+This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Remote Interactive Logon
+
+
+This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Restricted
+
+
+Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## SChannel Authentication
+
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Service
+
+
+Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Terminal Server User
+
+
+Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## This Organization
+
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Window Manager\\Window Manager Group
+
+
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+## See also
+
+- [Active Directory Security Groups](active-directory-security-groups.md)
+
+- [Security Principals](security-principals.md)
+
+- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 7db942d7ba..6cbed263b3 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -55,6 +55,29 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
+If you configured your endpoints with a deployment tool that required a script, you can check the event viewer for the onboarding script results.
+
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+**Check the result of the script**:
+
+1. Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2. Go to **Windows Logs** > **Application**.
+
+3. Look for an event from **WDATPOnboarding** event source.
+
+If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
+> **Note** The following event IDs are specific to the onboarding script only.
+
+Event ID | Error Type | Resolution steps
+:---|:---|:---
+5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
+10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
+15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
+30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
+
+
**Use Event Viewer to identify and adress onboarding errors**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@@ -76,9 +99,10 @@ If the **OnboardingState** value is not set to **1**, you can use Event Viewer t
Event ID | Message | Resolution steps
:---|:---|:---
5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
-6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
-7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then [run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+6 | Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
+7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
+25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
### Ensure the Windows Defender ATP service is enabled
@@ -104,7 +128,7 @@ If the the service is running, then the result should look like the following sc
-If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
**Change the Windows Defender ATP service startup type from the command line:**
@@ -192,7 +216,7 @@ If the service is enabled, then the result should look like the following screen
-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
@@ -330,6 +354,55 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
+## Troubleshoot onboarding issues using Microsoft Intune
+You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
+
+Use the following tables to understand the possible causes of issues while onboarding:
+
+- Microsoft Intune error codes and OMA-URIs table
+- Known issues with non-compliance table
+- Mobile Device Management (MDM) event logs table
+
+If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt.
+
+**Microsoft Intune error codes and OMA-URIs**:
+
+Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
+:---|:---|:---|:---|:---
+0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [Ensure the endpoint is onboarded successfully](#ensure-the-endpoint-is-onboarded-successfully) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key.
+ | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
+ | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported.
+ 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
+
+
+**Known issues with non-compliance**
+
+The following table provides information on issues with non-compliance and how you can address the issues.
+
+Case | Symptoms | Possible cause and troubleshooting steps
+:---|:---|:---
+1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.
**Troubleshooting steps:** Wait for OOBE to complete.
+2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.
**Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
+3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
+
+
+**Mobile Device Management (MDM) event logs**
+
+View the MDM event logs to troubleshoot issues that might arise during onboarding:
+
+Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
+
+Channel name: Admin
+
+ID | Severity | Event description | Description
+:---|:---|:---|:---
+1801 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has failed to get specific node's value.
TokenName: Contains node name that caused the error.
Result: Error details.
+1802 | Information | Windows Defender Advanced Threat Protection CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has completed to get specific node's value.
TokenName: Contains node name
Result: Error details or succeeded.
+1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value.
TokenName: Contains node name that caused the error
Result: Error details.
+1820 | Information | Windows Defender Advanced Threat Protection CSP: Set Nod's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value.
TokenName: Contains node name
Result: Error details or succeeded.
+
+
## Related topics
-
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
-- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
new file mode 100644
index 0000000000..e81dff792a
--- /dev/null
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -0,0 +1,43 @@
+---
+title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
+description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
+keywords: scan, command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Use PowerShell cmdlets to configure and run Windows Defender
+
+**Applies to:**
+
+- Windows 10
+
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
+
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
+
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
+
+> **Note:** PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+
+PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
+
+
+**Use Windows Defender PowerShell cmdlets**
+
+1. Click **Start**, type **powershell**, and press **Enter**.
+2. Click **Windows PowerShell** to open the interface.
+ > **Note:** You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+3. Enter the command and parameters.
+
+To open online help for any of the cmdlets type the following:
+
+```text
+Get-Help
-
-
-
-
-
-The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
-
-### Distribute apps
-
-For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
-
-- Assign apps to people in your organization.
-
-- Add apps to your private store, and let people in your organization install the app.
-
-If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
-
-Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
-
-**To make an app in inventory available in your private store**
-
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
-4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
-
-The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
-
-Employees can claim apps that admins added to the private store by doing the following.
-
-**To claim an app from the private store**
-
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
-2. Click the private store tab.
-3. Click the app you want to install, and then click **Install**.
-
-Another way to distribute apps is by assigning them to people in your organization.
-
-If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
-
-**To remove an app from the private store**
-
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
-
-The app will still be in your inventory, but your employees will not have access to the app from your private store.
-
-**To assign an app to an employee**
-
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
-
-### Manage app licenses
-
-For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
-
-**To view license details**
-
-1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
-
-2. Click **Manage**, and then choose **Inventory**.
-
-3. Click the ellipses for and app, and then choose **View license details**.
-
- 
-
- You'll see the names of people in your organization who have installed the app and are using one of the licenses.
-
- 
-
- On **Assigned licenses**, you can do several things:
-
- - Assign the app to other people in your organization.
-
- - Reclaim app licenses.
-
- - View app details.
-
- - Add the app to your private store, if it is not in the private store.
-
- You can assign the app to more people in your organization, or reclaim licenses.
-
- **To assign an app to more people**
-
- - Click Assign to people, type the email address for the employee that you're assigning the app to, and click **Assign**.
-
- 
-
- Store for Business updates the list of assigned licenses.
-
- **To reclaim licenses**
-
- - Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
-
- 
-
- Store for Business updates the list of assigned licenses.
-
-### Download offline-licensed app
-
-Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
-
-You can download offline-licensed apps from your inventory. You'll need to download these items:
-
-- App metadata
-
-- App package
-
-- App license
-
-- App framework
-
-For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
-
-For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
-
-
-
-
-
-
-
-
-
diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md
new file mode 100644
index 0000000000..11ddab7ae7
--- /dev/null
+++ b/windows/manage/app-inventory-management-windows-store-for-business.md
@@ -0,0 +1,223 @@
+---
+title: App inventory management for Windows Store for Business (Windows 10)
+description: You can manage all apps that you've acquired on your Inventory page.
+ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+---
+
+# App inventory management for Windows Store for Business
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can manage all apps that you've acquired on your **Inventory** page.
+
+The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
+
+All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
+
+
+
+Store for Business shows this info for each app in your inventory:
+
+- Name
+
+- Access to actions for the app
+
+- Last modified date
+
+- Supported devices
+
+- Private store status
+
+### Find apps in your inventory
+
+There are a couple of ways to find specific apps, or groups of apps in your inventory.
+
+**Search** - Use the Search box to search for an app.
+
+**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
+
+- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+
+- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
+
+- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
+
+- **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
+
+### Manage apps in your inventory
+
+Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
+
+
-
-
-
-Action
-Online-licensed app
-Offline-licensed app
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
+
+### Distribute apps
+
+For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
+
+- Assign apps to people in your organization.
+
+- Add apps to your private store, and let people in your organization install the app.
+
+If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
+
+Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
+
+**To make an app in inventory available in your private store**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
+4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
+
+The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
+
+Employees can claim apps that admins added to the private store by doing the following.
+
+**To claim an app from the private store**
+
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+2. Click the private store tab.
+3. Click the app you want to install, and then click **Install**.
+
+Another way to distribute apps is by assigning them to people in your organization.
+
+If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
+
+**To remove an app from the private store**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
+
+The app will still be in your inventory, but your employees will not have access to the app from your private store.
+
+**To assign an app to an employee**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+### Manage app licenses
+
+For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
+
+**To view license details**
+
+1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
+
+2. Click **Manage**, and then choose **Inventory**.
+
+3. Click the ellipses for an app, and then choose **View license details**.
+
+ 
+
+ You'll see the names of people in your organization who have installed the app and are using one of the licenses.
+
+ 
+
+ On **Assigned licenses**, you can do several things:
+
+ - Assign the app to other people in your organization.
+
+ - Reclaim app licenses.
+
+ - View app details.
+
+ - Add the app to your private store, if it is not in the private store.
+
+ You can assign the app to more people in your organization, or reclaim licenses.
+
+ **To assign an app to more people**
+
+ - Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
+
+ 
+
+ Store for Business updates the list of assigned licenses.
+
+ **To reclaim licenses**
+
+ - Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
+
+ 
+
+ Store for Business updates the list of assigned licenses.
+
+### Download offline-licensed app
+
+Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
+
+You can download offline-licensed apps from your inventory. You'll need to download these items:
+
+- App metadata
+
+- App package
+
+- App license
+
+- App framework
+
+For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
\ No newline at end of file
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
index dec7d4ca5f..f74b81160c 100644
--- a/windows/manage/apps-in-windows-store-for-business.md
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Apps in Windows Store for Business
@@ -50,7 +51,7 @@ Apps that you acquire from the Store for Business only work on Windows 10-based
Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
-Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing).
+Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
**Note**
+
+
+
+Action
+Online-licensed app
+Offline-licensed app
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isn’t available, please check again in a couple of days.
diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md
index adf354a31f..a329393689 100644
--- a/windows/manage/assign-apps-to-employees.md
+++ b/windows/manage/assign-apps-to-employees.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Assign apps to employees
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 603af6fbde..fe90ebb58f 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -12,6 +12,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## July 2016
+
+| New or changed topic | Description |
+| ---|---|
+| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
+
## June 2016
| New or changed topic | Description |
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md
index e621a59e02..d4c07de29f 100644
--- a/windows/manage/configure-mdm-provider-windows-store-for-business.md
+++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Configure an MDM provider
diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
index 66f10dbf1e..377c8066cf 100644
--- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
+++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
@@ -1,6 +1,6 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---
# Configure Windows 10 devices to stop data flow to Microsoft
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
index 1d4f6b116f..cc2eed1788 100644
--- a/windows/manage/configure-windows-telemetry-in-your-organization.md
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
+localizationpriority: high
author: brianlic-msft
---
@@ -17,34 +18,117 @@ author: brianlic-msft
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
-Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
+At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
->**Note:** This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
+To frame a discussion about telemetry, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
-It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
+- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
+- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers.
-We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
+This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+
+Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
## Overview
-In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM.
-
-Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
-
-Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
+In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
+## Understanding Windows telemetry
+
+Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
+
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts.
+
+### What is Windows telemetry?
+Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+
+- Keep Windows up to date
+- Keep Windows secure, reliable, and performant
+- Improve Windows – through the aggregate analysis of the use of Windows
+- Personalize Windows engagement surfaces
+
+Here are some specific examples of Windows telemetry data:
+
+- Type of hardware being used
+- Applications installed and usage details
+- Reliability information on device drivers
+
+### What is NOT telemetry?
+
+Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request.
+
+There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+
+If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+
+The following are specific examples of functional data:
+
+- Current location for weather
+- Bing searches
+- Wallpaper and desktop settings synced across multiple devices
+
+### Telemetry gives users a voice
+
+Windows and Windows Server telemetry gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+
+### Drive higher app and driver quality
+
+Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+
+A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+
+### Improve end-user productivity
+
+Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+
+- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
+
+**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+
+
+### Insights into your own organization
+
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
+
+#### Windows 10 Upgrade Analytics
+
+Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
+
+To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
+
+With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Analytics to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer, driver, and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
## How is telemetry data handled by Microsoft?
### Data collection
-Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
-4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
+4. The Connected User Experience and Telemetry component transmits the telemetry data.
Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
@@ -56,21 +140,21 @@ All telemetry data is encrypted using SSL and uses certificate pinning during tr
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
-The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
+The following table defines the endpoints for telemetry services:
-The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
-
-[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
-
-[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
+| Service | Endpoint |
+| - | - |
+| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com |
+| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
### Data use and access
-Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
-Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
+Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history.
## Telemetry levels
@@ -81,21 +165,22 @@ The telemetry data is categorized into four levels:
- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
+- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
-The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
+The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview.
### Security level
-The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
-> **Note:** If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+> [!NOTE]
+> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
@@ -103,18 +188,19 @@ Windows Server Update Services (WSUS) and System Center Configuration Manager fu
The data gathered at this level includes:
-- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
- >**Note:** You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+ > [!NOTE]
+ > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
- **Note**
- This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+ > [!NOTE]
+ > This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
@@ -126,11 +212,11 @@ No user content, such as user files or communications, is gathered at the **Secu
### Basic level
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The data gathered at this level includes:
-- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including:
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include:
- Device attributes, such as camera resolution and display type
@@ -156,7 +242,7 @@ The data gathered at this level includes:
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
+ - **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
@@ -166,13 +252,13 @@ The data gathered at this level includes:
- **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The data gathered at this level includes:
@@ -202,15 +288,25 @@ However, before more data is gathered, Microsoft’s privacy governance team, in
- All crash dump types, including heap dumps and full dumps.
+## Enterprise management
+
+Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
+
+Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
+
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that.
+
+
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
->**Important:** These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+> [!IMPORTANT]
+> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
-The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
+The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**.
### Configure the operating system telemetry level
@@ -218,14 +314,13 @@ You can configure your operating system telemetry settings using the management
Use the appropriate value in the table below when you configure the management policy.
-| Value | Level | Data gathered |
-|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
-| **0** | Security | Security data only. |
-| **1** | Basic | Security data, and basic system and quality data. |
-| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
-| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
+| Level | Data gathered | Value |
+| - | - | - |
+| Security | Security data only. | **0** |
+| Basic | Security data, and basic system and quality data. | **1** |
+| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
+| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
-
### Use Group Policy to set the telemetry level
@@ -275,21 +370,35 @@ There are a few more settings that you can turn off that may send telemetry info
- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
- >**Note:** Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+ > [!NOTE]
+ > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
+## Additional resources
-## Examples of how Microsoft uses the telemetry data
+FAQs
+- [Cortana, Search, and privacy](http://windows.microsoft.com/en-us/windows-10/cortana-privacy-faq)
+- [Windows 10 feedback, diagnostics, and privacy](http://windows.microsoft.com/en-us/windows-10/feedback-diagnostics-privacy-faq)
+- [Windows 10 camera and privacy](http://windows.microsoft.com/en-us/windows-10/camera-privacy-faq)
+- [Windows 10 location service and privacy](http://windows.microsoft.com/en-us/windows-10/location-service-privacy)
+- [Microsoft Edge and privacy](http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq)
+- [Windows 10 speech, inking, typing, and privacy](http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq)
+- [Windows Hello and privacy](http://windows.microsoft.com/en-us/windows-10/windows-hello-privacy-faq)
+- [Wi-Fi Sense](http://windows.microsoft.com/en-us/windows-10/wi-fi-sense-faq)
+- [Windows Update Delivery Optimization](http://windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq)
-### Drive higher application and driver quality in the ecosystem
+Blogs
-Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications.
+- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-### Reduce your total cost of ownership and downtime
+Privacy Statement
-Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement)
-### Build features that address our customers’ needs
+TechNet
-Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
\ No newline at end of file
+- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+
+Web Pages
+
+- [Privacy at Microsoft](http://privacy.microsoft.com)
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index a0ad00415a..77d2d5abf5 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -115,7 +115,7 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
| **Data type** | **String** |
| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** |
- | **Value** | Path to the Start layout .xml file that you created. |
+ | **Value** | Paste the contents of the Start layout .xml file that you created. |
diff --git a/windows/manage/device-guard-signing-portal.md b/windows/manage/device-guard-signing-portal.md
index 09c4d67158..e9dabd0581 100644
--- a/windows/manage/device-guard-signing-portal.md
+++ b/windows/manage/device-guard-signing-portal.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
+localizationpriority: high
---
# Device Guard signing
diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md
index f1077326eb..8a9777af29 100644
--- a/windows/manage/disconnect-your-organization-from-microsoft.md
+++ b/windows/manage/disconnect-your-organization-from-microsoft.md
@@ -1,4 +1,4 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---
\ No newline at end of file
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md
index c81973c29f..500ff0c7b4 100644
--- a/windows/manage/distribute-apps-from-your-private-store.md
+++ b/windows/manage/distribute-apps-from-your-private-store.md
@@ -23,29 +23,29 @@ You can make an app available in your private store when you acquire the app, or
**To acquire an app and make it available in your private store**
-1. Sign in to the Store for Business.
+1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click an app and then click **Get the app** to acquire the app for your organization.
3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
- 
+ 
It will take approximately twelve hours before the app is available in the private store.
**To make an app in inventory available in your private store**
-1. Sign in to the Store for Business.
+1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
- 
+ 
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
- 
+ 
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
index ffdae6061d..8863d87a80 100644
--- a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Distribute apps to your employees from the Windows Store for Business
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md
index 484fa6b93b..891c3c0ccc 100644
--- a/windows/manage/distribute-apps-with-management-tool.md
+++ b/windows/manage/distribute-apps-with-management-tool.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Distribute apps with a management tool
@@ -48,14 +49,14 @@ If your vendor doesn’t support the ability to synchronize applications from th
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
-
+
## Distribute online-licensed apps
This diagram shows how you can use a management tool to distribute an online-licensed app to employees in your organization. Once synchronized from Store for Business, management tools use the Windows Management framework to distribute applications to devices. For Online licensed applications, the management tool calls back in to Store for Business management services to assign an application prior to issuing the policy to install the application.
-
+
## Related topics
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index f6493b53b4..c1bc0b3a20 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Distribute offline apps
diff --git a/windows/manage/find-and-acquire-apps-overview.md b/windows/manage/find-and-acquire-apps-overview.md
index 4b4aab57ea..8faea40ea2 100644
--- a/windows/manage/find-and-acquire-apps-overview.md
+++ b/windows/manage/find-and-acquire-apps-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Find and acquire apps
diff --git a/windows/plan/images/fig1-deferupgrades.png b/windows/manage/images/fig1-deferupgrades.png
similarity index 100%
rename from windows/plan/images/fig1-deferupgrades.png
rename to windows/manage/images/fig1-deferupgrades.png
diff --git a/windows/plan/images/fig2-deploymenttimeline.png b/windows/manage/images/fig2-deploymenttimeline.png
similarity index 100%
rename from windows/plan/images/fig2-deploymenttimeline.png
rename to windows/manage/images/fig2-deploymenttimeline.png
diff --git a/windows/plan/images/fig3-overlaprelease.png b/windows/manage/images/fig3-overlaprelease.png
similarity index 100%
rename from windows/plan/images/fig3-overlaprelease.png
rename to windows/manage/images/fig3-overlaprelease.png
diff --git a/windows/manage/index.md b/windows/manage/index.md
index fa16723bc3..570fd79769 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -57,7 +57,7 @@ Learn about managing and updating Windows 10.
-
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
index 0325ebfeac..8e531b3827 100644
--- a/windows/manage/introduction-to-windows-10-servicing.md
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -10,27 +10,46 @@ ms.pagetype: security, servicing
author: greg-lindsay
---
-# Windows 10 servicing options for updates and upgrades
+# Windows 10 servicing options
**Applies to**
- Windows 10
- Windows 10 IoT Core (IoT Core)
-This article describes the new servicing options available in Windows 10 and IoT Core and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.
+This article provides detailed information about new servicing options available in Windows 10 and IoT Core. It also provides information on how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. Before reading this article, you should understand the new Windows 10 servicing model. For an overview of this servicing model, see: [Windows 10 servicing overview](../plan/windows-10-servicing-options.md).
For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx).
-
-**Note**
-Several of the figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
-## Introduction
+## Key terminology
-In enterprise IT environments, the desire to provide users with the latest technologies needs to be balanced with the need for manageability and cost control. In the past, many enterprises managed their Windows deployments homogeneously and performed large-scale upgrades to new releases of Windows (often in parallel with large-scale hardware upgrades) about every three to six years. Today, the rapid evolution of Windows as a platform for device-like experiences is causing businesses to rethink their upgrade strategies. Especially with the release of Windows 10, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. For example, during the development of Windows 10, Microsoft:
-- Streamlined the Windows product engineering and release cycle so that Microsoft can deliver the features, experiences, and functionality customers want, more quickly than ever.
-- Created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
-- Implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible.
+The following terms are used When discussing the new Windows 10 servicing model:
-The remainder of this article provides additional information about each of these areas. This article also provides an overview of the planning implications of the three Windows 10 servicing options (summarized in Table 1) so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project.
+
-
-
-
-
-
-
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md
index 9a72ed30d3..a183923ba1 100644
--- a/windows/plan/compatibility-monitor-users-guide.md
+++ b/windows/plan/compatibility-monitor-users-guide.md
@@ -1,72 +1,5 @@
---
title: Compatibility Monitor User's Guide (Windows 10)
description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
-ms.assetid: 67d6eff0-1576-44bd-99b4-a3ffa5e205ac
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Compatibility Monitor User's Guide
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback.
-
-## In this section
-
-
-
+
+
+## Windows 10 servicing
+
+The following table provides an overview of the planning implications of the three Windows 10 servicing options so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project.
Table 1. Windows 10 servicing options
@@ -91,7 +110,7 @@ At the end of each approximately four month period, Microsoft executes a set of
Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](http://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available.
-## Windows 10 servicing options
+## Windows 10 servicing branches
Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available.
In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to:
@@ -100,6 +119,144 @@ In fact, when planning to deploy Windows 10 on a device, one of the most import
- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb).
The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.
+## Current Branch versus Current Branch for Business
+
+When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded.
+
+The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM).
+
+
+
+Figure 1. Configure the **Defer upgrades** setting
+
+Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period.
+
+For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later.
+
+With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager.
+
+For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015.
+
+With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10.
+
+Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule:
+
+- Begin your evaluation process with the Windows Insider Program releases.
+- Perform initial pilot deployments by using the Current Branch.
+- Expand to broad deployment after the Current Branch for Business is available.
+- Complete deployments by using that release in advance of the availability of the next Current Branch.
+
+
+
+Figure 2. Deployment timeline
+
+Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release:
+
+
+
+Figure 3. Overlapping releases
+
+As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall.
+
+## Long-Term Servicing Branch
+
+For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS.
+
+These LTSB images can be used to upgrade existing machines or to create new custom images.
+
+Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps.
+
+As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them.
+
+## Windows Insider Program
+
+During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process.
+
+To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account.
+
+Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation.
+
+## Switching between branches
+
+During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+
+
+
+ **Term**
+ **Description**
+
+
+ Upgrade
+ A new Windows 10 release that contains additional features and capabilities, released two to three times per year.
+
+
+ Update
+ Packages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
+
+
+ Branch
+ The windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates.
+
+
+Ring
+ A ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process.
+
+
+
## Plan for Windows 10 deployment
The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment:
@@ -111,19 +268,21 @@ The content that follows will provide IT administrators with the context needed
**How Microsoft releases Windows 10 feature upgrades**
-When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 1) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations.
+>Some figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
-
+When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 4) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations.
-Figure 1. Feature upgrades and servicing branches
+
-In all cases, Microsoft creates a servicing branch (referred to in Figure 1 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 1 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years.
+Figure 4. Feature upgrades and servicing branches
-As shown in Figure 2, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades.
+In all cases, Microsoft creates a servicing branch (referred to in Figure 4 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 4 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years.
-
+As shown in Figure 5, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades.
-Figure 2. Producing feature upgrades from servicing branches
+
+
+Figure 5. Producing feature upgrades from servicing branches
Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users.
@@ -131,15 +290,15 @@ Concurrently, Microsoft also changes the way the feature upgrade is published in
**How Microsoft publishes the Windows 10 Enterprise LTSB Edition**
-If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 2 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way.
+If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 5 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way.
**How Microsoft releases Windows 10 servicing updates**
-As shown in Figure 3, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation.
+As shown in Figure 6, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation.
-
+
-Figure 3. Producing servicing updates from servicing branches
+Figure 6. Producing servicing updates from servicing branches
**Release installation alternatives**
@@ -162,24 +321,24 @@ Because there is a one-to-one mapping between servicing options and servicing br
Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary.
-
+
-Figure 4. Example release cadence across multiple feature upgrades
+Figure 7. Example release cadence across multiple feature upgrades
To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only.
-The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 4 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning.
+The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 7 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning.
To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions.
###
**Immediate feature upgrade installation with Current Branch (CB) servicing**
-As shown in Figure 5, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation.
+As shown in Figure 8, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation.
-
+
-Figure 5. Immediate installation with Current Branch Servicing
+Figure 8. Immediate installation with Current Branch Servicing
The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release.
Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
@@ -191,11 +350,11 @@ It is important to note that devices serviced from CBs must install two to three
###
**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing**
-As shown in Figure 6, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation.
+As shown in Figure 9, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation.
-
+
-Figure 6. Deferred installation with Current Branch for Business Servicing
+Figure 9. Deferred installation with Current Branch for Business Servicing
The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible.
Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
@@ -208,11 +367,11 @@ Microsoft designed Windows 10 servicing lifetime policies so that CBBs will rec
**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing**
-As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
+As shown in Figure 10, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
-
+
-Figure 7. Servicing updates only using LTSB Servicing
+Figure 10. Servicing updates only using LTSB Servicing
The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments.
Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md
index 47ddaea3ef..8e2f813d33 100644
--- a/windows/manage/manage-access-to-private-store.md
+++ b/windows/manage/manage-access-to-private-store.md
@@ -23,7 +23,7 @@ Organizations might want control the set of apps that are available to their emp
The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
-
+
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/windows/manage/manage-apps-windows-store-for-business-overview.md
index 6856a7683d..76b2ee98e8 100644
--- a/windows/manage/manage-apps-windows-store-for-business-overview.md
+++ b/windows/manage/manage-apps-windows-store-for-business-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Manage apps in Windows Store for Business
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f3194a4699..adf68698e2 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -6,6 +6,7 @@ keywords: privacy, manage connections to Microsoft
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
+localizationpriority: high
author: brianlic-msft
---
@@ -309,7 +310,7 @@ You can prevent Windows from setting the time automatically.
-or-
-- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### 3. Device metadata retrieval
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index 901a3beb11..dbc5ed0c8a 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -97,7 +97,7 @@ For more information about the MDM protocols, see [Mobile device management](htt
[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627898.aspx)
-[Windows 10, Azure AD and Microsoft Intune: Automatic MDM Enrollment](http://go.microsoft.com/fwlink/p/?LinkId=623321)
+[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
[Microsoft Intune End User Enrollment Guide](http://go.microsoft.com/fwlink/p/?LinkID=617169)
diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md
index b44e4c4920..98ed3188ee 100644
--- a/windows/manage/manage-cortana-in-enterprise.md
+++ b/windows/manage/manage-cortana-in-enterprise.md
@@ -50,14 +50,15 @@ Set up and manage Cortana by using the following Group Policy and mobile device
|Group policy |MDM policy |Description |
|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
+
+
+
+For a PC that uses…
+Changing to…
+You need to:
+
+
+Windows Insider Program
+Current Branch
+Wait for the final Current Branch release.
+
+
+
+ Current Branch for Business
+Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.
+
+
+
+ Long-Term Servicing Branch
+Not directly possible (requires wipe-and-load).
+
+
+Current Branch
+Insider
+Use the Settings app to enroll the device in the Windows Insider Program.
+
+
+
+ Current Branch for Business
+Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
+
+
+
+ Long-Term Servicing Branch
+Not directly possible (requires wipe-and-load).
+
+
+Current Branch for Business
+Insider
+Use the Settings app to enroll the device in the Windows Insider Program.
+
+
+
+ Current Branch
+Disable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release.
+
+
+
+ Long-Term Servicing Branch
+Not directly possible (requires wipe-and-load).
+
+
+Long-Term Servicing Branch
+Insider
+Use media to upgrade to the latest Windows Insider Program build.
+
+
+
+ Current Branch
+Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
+
+
+
+
+ Current Branch for Business
+Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
+
Employees can still perform searches even with Cortana turned off. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.
Cortana won’t work if this setting is turned off (disabled). |
-|None |System/AllowLocation |Specifies whether to allow app access to the Location service. |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.
Cortana won’t work if this setting is turned off (disabled). |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.
Cortana won’t work if this setting is turned off (disabled). |
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.
This setting only applies to Windows 10 Mobile. |
-|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.
Cortana won’t work if this setting is turned off (disabled). |
-|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.
Cortana won’t work if this setting is turned off (disabled). |
+|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
This setting only applies to Windows 10 for desktop devices. |
+|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled). |
+|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled). |
+|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
This setting only applies to Windows 10 Mobile. |
+|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled). |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. |
**More info:**
- For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md
index 8535d16d65..f8db99379b 100644
--- a/windows/manage/manage-inventory-windows-store-for-business.md
+++ b/windows/manage/manage-inventory-windows-store-for-business.md
@@ -1,70 +1,10 @@
---
title: Manage inventory in Windows Store for Business (Windows 10)
description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
-redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
+redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
-# Manage inventory in Window Store for Business
-When you acquire apps from the Windows Store for Business, we add them to the inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
-
-## Distribute apps
-You can assign apps to people, or you can make apps available in your private store. Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
-
-**To make an app in inventory available in your private store**
-
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
-4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
-
-The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
-
-Employees can claim apps that admins added to the private store by doing the following.
-
-**To claim an app from the private store**
-
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
-2. Click the private store tab.
-3. Click the app you want to install, and then click **Install**.
-
-Another way to distribute apps is by assigning them to people in your organization.
-
-**To assign an app to an employee**
-
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
-4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
-
-## Manage licenses
-For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store.
-
-**To assign licenses**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Find an app, click the ellipses under **Action**, and then choose **View license details**.
-4. Click **Assign to people**, type the name you are assigning the license to, and then click **Assign**.
-
-Store for Business assigns a license to the person, and adds them to the list of assigned licenses.
-
-**To reclaim licenses**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Find an app, click the ellipses under **Action**, and then choose **View license details**.
-4. Click the name of the person you are reclaiming the license from, and then click **Reclaim licenses**.
-
-Store for Business reclaims the license, and updates the number of avialable licenses. After you reclaim a license, you can assign a license to another employee.
-
-**To remove an app from the private store**
-
-If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Manage**, and then choose **Inventory**.
-3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
-
-The app will still be in your inventory, but your employees will not have access to the app from your private store.
+
diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md
index 03d95f9433..9ca7ce1322 100644
--- a/windows/manage/manage-orders-windows-store-for-business.md
+++ b/windows/manage/manage-orders-windows-store-for-business.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Manage app orders in Windows Store for Business
diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md
index 1eb1190a30..e070bd57ea 100644
--- a/windows/manage/manage-private-store-settings.md
+++ b/windows/manage/manage-private-store-settings.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Manage private store settings
@@ -19,9 +20,9 @@ author: TrudyHa
The private store is a feature in the Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
-The name of your private store is shown on a tab in the Windows Store.
+The name of your private store is shown on a tab in the Windows Store app.
-
+
You can change the name of your private store in Store for Business.
@@ -33,13 +34,13 @@ You can change the name of your private store in Store for Business.
You'll see your private store name.
- 
+ 
3. Click **Change**.
4. Type a new display name for your private store, and click **Save**.
- 
+ 
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md
index 04bd40016e..9949754977 100644
--- a/windows/manage/manage-settings-windows-store-for-business.md
+++ b/windows/manage/manage-settings-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Manage settings for the Windows Store for Business
diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/windows/manage/manage-users-and-groups-windows-store-for-business.md
index 42fb25bfa2..e445c7f72b 100644
--- a/windows/manage/manage-users-and-groups-windows-store-for-business.md
+++ b/windows/manage/manage-users-and-groups-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Manage user accounts in Windows Store for Business
diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/windows/manage/prerequisites-windows-store-for-business.md
index 85f411ba17..8c759e9d5d 100644
--- a/windows/manage/prerequisites-windows-store-for-business.md
+++ b/windows/manage/prerequisites-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Prerequisites for Windows Store for Business
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index 4fbfcc521e..6cdeba16db 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Roles and permissions in Windows Store for Business
@@ -204,11 +205,11 @@ These permissions allow people to:
2. Click **Settings**, and then choose **Permissions**.
- 
+ 
3. Click **Add people**, type a name, choose the role you want to assign, and click **Save** .
- 
+ 
4.
diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
index 71deb2dedb..96a6b5344b 100644
--- a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
+localizationpriority: high
---
# Sign code integrity policy with Device Guard signing
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md
index 93c2e85ad1..7a391739cc 100644
--- a/windows/manage/sign-up-windows-store-for-business-overview.md
+++ b/windows/manage/sign-up-windows-store-for-business-overview.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Sign up and get started
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md
index 89ca4e135b..b64638e1a8 100644
--- a/windows/manage/sign-up-windows-store-for-business.md
+++ b/windows/manage/sign-up-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Sign up for Windows Store for Business
@@ -34,7 +35,7 @@ Before signing up for the Store for Business, make sure you're the global admini
- If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
- 
+ 
**To sign up for Azure AD accounts through Office 365 for Business**
@@ -44,43 +45,43 @@ Before signing up for the Store for Business, make sure you're the global admini
Type the required info and click **Next.**
- 
+ 
- Step 2: Create an ID.
We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
- 
+ 
- Step 3: You're in.
Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
- 
+ 
- Verification.
Type your verification code and click **Create my account**.
- 
+ 
- Save this info.
Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
- 
+ 
- At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
2. Sign in with your Azure AD account.
- 
+ 
3. Read through and accept Store for Business terms.
4. Welcome to the Store for Business. Click **Next** to continue.
- 
+ 
### Next steps
diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md
index e2653436b7..6be281bae5 100644
--- a/windows/manage/troubleshoot-windows-store-for-business.md
+++ b/windows/manage/troubleshoot-windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Troubleshoot Windows Store for Business
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 2870bbda8a..38f4bd0b54 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Update Windows Store for Business account settings
diff --git a/windows/manage/windows-store-for-business.md b/windows/manage/windows-store-for-business.md
index d3a4044273..67a6d43bab 100644
--- a/windows/manage/windows-store-for-business.md
+++ b/windows/manage/windows-store-for-business.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Windows Store for Business
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index f780a06748..e0d0c284fe 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+localizationpriority: high
---
# Working with line-of-business apps
@@ -80,7 +81,7 @@ After an app is published and available in the Store, ISVs publish an updated ve
5. Click **Save** to save your changes and start the app submission process.
For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).
-**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
+**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
### Add app to inventory (admin)
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index d6212238a6..86f527f088 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -1,6 +1,6 @@
# [Plan for Windows 10 deployment](index.md)
## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
-## [Windows 10 servicing options](windows-10-servicing-options.md)
+## [Windows 10 servicing overview](windows-10-servicing-options.md)
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
## [Windows 10 compatibility](windows-10-compatibility.md)
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
@@ -14,99 +14,29 @@
### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
-### [Welcome to ACT](welcome-to-act.md)
-#### [What's New in ACT 6.1](whats-new-in-act-60.md)
-#### [Software Requirements for ACT](software-requirements-for-act.md)
-#### [Software Requirements for RAP](software-requirements-for-rap.md)
-### [Configuring ACT](configuring-act.md)
-#### [ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-#### [ACT Deployment Options](act-deployment-options.md)
-#### [ACT Database Configuration](act-database-configuration.md)
-#### [ACT Database Migration](act-database-migration.md)
-#### [ACT LPS Share Permissions](act-lps-share-permissions.md)
-### [Using ACT](using-act.md)
-#### [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-##### [Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
-##### [Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
-##### [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
-#### [Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-##### [Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-##### [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-##### [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-##### [Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-##### [Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-###### [Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
-###### [Common Compatibility Issues](common-compatibility-issues.md)
-#### [Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-##### [Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-##### [Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-##### [Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-##### [Labeling Data in ACM](labeling-data-in-acm.md)
-#### [Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-##### [Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
-###### [<OperatingSystem> - Application Report](act-operatingsystem-application-report.md)
-####### [<Application> Dialog Box](application-dialog-box.md)
-###### [<OperatingSystem> - Computer Report](act-operatingsystem-computer-report.md)
-####### [<Computer> Dialog Box](computer-dialog-box.md)
-###### [<OperatingSystem> - Device Report](act-operatingsystem-device-report.md)
-####### [<Device> Dialog Box](device-dialog-box.md)
-###### [Internet Explorer - Web Site Report](internet-explorer-web-site-report.md)
-####### [<WebsiteURL> Dialog Box](websiteurl-dialog-box.md)
-###### [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md)
-###### [Customizing Your Report Views](customizing-your-report-views.md)
-##### [Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
-###### [Organizational Tasks for Each Report Type](organizational-tasks-for-each-report-type.md)
-###### [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
-###### [Selecting Your Deployment Status](selecting-your-deployment-status.md)
-###### [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)
-###### [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)
-###### [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
-###### [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)
-####### [Adding or Editing an Issue](adding-or-editing-an-issue.md)
-####### [Adding or Editing a Solution](adding-or-editing-a-solution.md)
-####### [Resolving an Issue](resolving-an-issue.md)
-##### [Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-###### [Example Filter Queries](example-filter-queries.md)
-##### [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-###### [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
-###### [ACT Community Ratings and Process](act-community-ratings-and-process.md)
-#### [Fixing Compatibility Issues](fixing-compatibility-issues.md)
-##### [Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
-##### [SUA User's Guide](sua-users-guide.md)
-###### [Using the SUA Wizard](using-the-sua-wizard.md)
-###### [Using the SUA Tool](using-the-sua-tool.md)
-####### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
-####### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
-####### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
-####### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
-##### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-###### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-####### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
-####### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
-####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
-####### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
-####### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-####### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
-####### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
-####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
-####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
-###### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-####### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
-####### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
-####### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
-###### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
-### [Troubleshooting ACT](troubleshooting-act.md)
-#### [Troubleshooting the ACT Configuration Wizard](troubleshooting-the-act-configuration-wizard.md)
-#### [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md)
-#### [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
-### [ACT User Interface Reference](act-user-interface-reference.md)
-#### [Toolbar Icons in ACM](act-toolbar-icons-in-acm.md)
-#### [Ratings Icons in ACM](ratings-icons-in-acm.md)
-#### [Activating and Closing Windows in ACM](activating-and-closing-windows-in-acm.md)
-#### [Settings for ACM](settings-for-acm.md)
-##### [Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
-##### [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
-### [ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-### [ACT Glossary](act-glossary.md)
+### [Standard User Analyzer (SUA) User's Guide](sua-users-guide.md)
+#### [Using the SUA Wizard](using-the-sua-wizard.md)
+#### [Using the SUA Tool](using-the-sua-tool.md)
+##### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
+##### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
+##### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
+##### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
+### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+#### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
+##### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)
+##### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)
+##### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
+##### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
+##### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+##### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)
+##### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)
+##### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
+##### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
+#### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+##### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)
+##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)
+##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
+#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md
index 6d28ac6493..e9c34a2026 100644
--- a/windows/plan/act-community-ratings-and-process.md
+++ b/windows/plan/act-community-ratings-and-process.md
@@ -1,48 +1,5 @@
---
title: ACT Community Ratings and Process (Windows 10)
description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
-ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-ms.pagetype: appcompat
-author: TrudyHa
----
-
-# ACT Community Ratings and Process
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
-
-When you access the Microsoft Compatibility Exchange as a registered ACT Community member, you can upload your compatibility data to the community and download issues from other ACT Community members. For information about how compatibility ratings are entered, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
-ACT takes your information and combines it with all of the information provided by the other ACT Community users and shows the average rating as a color gradient from one to five bars.
-
-
-
-## Process for Synchronizing Compatibility Ratings
-
-
-The following diagram shows the process for synchronizing compatibility ratings with the ACT Community.
-
-You have the option to exclude applications from being shared with the Microsoft Compatibility Exchange. However, you will not get compatibility ratings from the ACT Community for any application that you exclude. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md
index dc8103e03e..7c07865d8a 100644
--- a/windows/plan/act-database-configuration.md
+++ b/windows/plan/act-database-configuration.md
@@ -1,85 +1,5 @@
---
title: ACT Database Configuration (Windows 10)
description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data.
-ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Database Configuration
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169).
-
-## ACT Database Creation
-
-
-You can create the ACT database by using one of the following methods:
-
-- Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to create a new database.
-
- -or-
-
-- Run the CreateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\CreateDB.sql.
-
-### ACT Database Permissions
-
-You must assign the following database roles to the following accounts.
-
-- To the user and local service accounts that will run the ACT Log Processing Service (LPS), assign the db\_datareader, db\_datawriter, and db\_owner database roles.
-
-- To the user account that will run Application Compatibility Manager (ACM), assign the db\_datareader and db\_datawriter database roles.
-
-Alternatively, grant the following explicit permissions to each user that will run the ACT LPS or ACM.
-
-- SELECT
-
-- INSERT
-
-- UPDATE
-
-- DELETE
-
-- EXECUTE
-
-### ACT Database Recommendations
-
-We also recommend that you make the following changes to the database as part of your deployment planning:
-
-- **Create a larger database, including a larger log file–size setting, and then set the growth increments appropriately**. If you create a database with the default setting for data storage, the data portion of the database will have an initial size of 1 megabyte (MB), and a growth increment of 1 MB. If you create a database with the default setting for log file storage, the log file portion of the database will have an initial size of 1 MB and a growth increment of 10 percent. We recommend that you maintain a data-to-log file ratio of 5:1 or 4:1. For example, if your data portion is 5 gigabytes (GB), your log file portion should be 1 GB.
-
-- **Change the recovery model of your database**. The default recovery model is **Full**, but we recommend that you change the recovery model to **Simple** to improve performance and reduce disk space requirements.
-
-- **Store the data portion and log file portion of your ACT database on separate hard drives**. Unless otherwise specified by your SQL Administrator, the default is for the data and log files to be stored on the same hard drive. We recommend separating the data from the log files to reduce disk I/O contention.
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md
index 4b4009c05e..e8b5e9b74f 100644
--- a/windows/plan/act-database-migration.md
+++ b/windows/plan/act-database-migration.md
@@ -1,68 +1,5 @@
---
title: ACT Database Migration (Windows 10)
description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released.
-ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Database Migration
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database.
-
-To create the new database, you must have database-creation permissions on the instance of SQL Server.
-
-## Migrating Compatibility Data from an ACT Database
-
-
-You can migrate compatibility data from an ACT database to a new database by using one of the following methods:
-
-- Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to open the database. The wizard guides you through migrating the compatibility data to a new database.
-
-- Run the MigrateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\MigrateDB.sql.. The following table shows the location of the MigrateDB.sql file.
-
-## Database Migration from ACT 5.6
-
-
-When you migrate compatibility data from an ACT 5.6 database to a new database, the following information is excluded from the migration:
-
-- Issues that were reported by ACT 5.6 data-collection packages (DCPs).
-
-- Solutions that correspond to issues reported by ACT 5.6 DCPs.
-
-- Lists of file names that ACT 5.6 associated with each application.
-
-You cannot migrate any compatibility data from ACT databases that were created on a version of ACT before ACT 5.6.
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md
index 32bb1e10f0..a550b72152 100644
--- a/windows/plan/act-deployment-options.md
+++ b/windows/plan/act-deployment-options.md
@@ -1,61 +1,5 @@
---
title: ACT Deployment Options (Windows 10)
description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
-ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Deployment Options
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
-
-The following diagram shows supported deployment options for an ACT installation. The options listed first are the most highly recommended.
-
-
-
-## Collecting Data Across Domains
-
-
-If you plan to deploy inventory-collector packages to computers running Windows XP, where some of the computers are on a different domain than the ACT LPS share, do one of the following:
-
-- Set up a separate ACT LPS share on each domain and configure the inventory-collector package to upload log files to the ACT LPS share on the same domain.
-
-- Set up a single ACT LPS share on one computer. On the computer that hosts the share, use Group Policy to allow connections from anonymous users.
-
-These steps are not necessary if the computers where you deploy inventory-collector packages are running Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10.
-
-If you choose to have distributed logging with a subsequent step of moving log files to your central share, move the files to the central share before processing the files. You can move the files manually or use a technology like Distributed File-System Replication (DFSR).
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md
index 87b42aab6e..17f66a70be 100644
--- a/windows/plan/act-glossary.md
+++ b/windows/plan/act-glossary.md
@@ -1,118 +1,5 @@
---
title: ACT Glossary (Windows 10)
description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
-ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Glossary
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md
index f2496dc915..37a6534881 100644
--- a/windows/plan/act-lps-share-permissions.md
+++ b/windows/plan/act-lps-share-permissions.md
@@ -1,76 +1,5 @@
---
title: ACT LPS Share Permissions (Windows 10)
description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
-ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT LPS Share Permissions
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
-
-## Share-Level Permissions
-
-
-The **Everyone** group must have **Change** and **Read** permissions to the ACT LPS share.
-
-**To set the share-level permissions**
-
-1. Browse to the ACT LPS share, right-click the folder, and select **Properties**.
-
-2. Click the **Sharing** tab, share the folder, and then click **Permissions**.
-
-3. Add the **Everyone** group if it is not already listed, and then select the **Change** and **Read** check boxes in the **Allow** column.
-
-## Folder-Level Permissions (NTFS Only)
-
-
-The **Everyone** group must have **Write** access to the ACT LPS share.
-
-The ACT Log Processing Service account must have **List Folder Contents**, **Read**, and **Write** permissions.
-
-- If the ACT Log Processing Service account is **Local System Account**, apply the permissions to the *<domain>*\\*<computer>*$ account.
-
-- If the ACT Log Processing Service is a user account, apply the permissions to the specific user.
-
-**To set the folder-level permissions**
-
-1. In Windows Explorer, right-click the folder for the ACT LPS share, and then click **Properties**.
-
-2. Click the **Security** tab, add the account that runs the ACT Log Processing Service, and then select the **List Folder Contents**, **Read**, and **Write** check boxes in the **Allow** column.
-
-3. Add the **Everyone** group if it is not already listed, and then select the **Write** check box in the **Allow** column.
-
-## Related topics
-
-
-[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md
index 3c0f49d348..62da93a40d 100644
--- a/windows/plan/act-operatingsystem-application-report.md
+++ b/windows/plan/act-operatingsystem-application-report.md
@@ -1,80 +1,5 @@
---
title: OperatingSystem - Application Report (Windows 10)
description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <OperatingSystem> - Application Report
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-
-The **<OperatingSystem> - Application Report** screen shows the following information for the applications from which you have collected data:
-
-- The application name, application vendor, and application version.
-
-- Your organization’s compatibility rating for the application.
-
-- Compatibility ratings from users in your organization who are using a runtime analysis package to test the application.
-
-- Whether the information for the application is included in the synchronization process with the Microsoft Compatibility Exchange.
-
-- Compatibility information for the application from the application vendor.
-
-- Compatibility ratings from the ACT Community, if you are a member of the ACT Community. To join the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
-
-- The count of active issues for the application.
-
-- The count of computers in your organization on which the application is installed.
-
-**To open the <OperatingSystem> - Application Report screen**
-
-1. In ACM, on the **Quick Reports** pane, click **Analyze**.
-
-2. In the **Quick Reports** pane, under an operating system heading, click **Applications**.
-
-## Using the <OperatingSystem> - Application Report Screen
-
-
-On the **<OperatingSystem> - Application Report** screen, you can perform the following actions:
-
-- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
-- Choose whether to synchronize data for each application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
-
-- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
-- Select your compatibility rating for an application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
-- Select your deployment status for an application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
-- Assign categories and subcategories to an application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of an application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-- Double-click an application name to view the associated dialog box. For more information, see [<Application> Dialog Box](application-dialog-box.md).
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md
index 3547b28c17..bf508ee97a 100644
--- a/windows/plan/act-operatingsystem-computer-report.md
+++ b/windows/plan/act-operatingsystem-computer-report.md
@@ -1,62 +1,5 @@
---
title: OperatingSystem - Computer Report (Windows 10)
-ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <OperatingSystem> - Computer Report
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **<OperatingSystem> - Computer Report** screen shows the following information for each computer in your organization:
-
-- The computer name, domain, and operating system.
-
-- The count of applications and devices installed on the computer.
-
-- The count of installed applications and devices that have issues.
-
-**To open the <OperatingSystem> - Computer Report screen**
-
-1. In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
-
-2. In the **Quick Reports** pane, under an operating system heading, click **Computers**.
-
-## Using the <OperatingSystem> - Computer Report Screen
-
-
-On the **<OperatingSystem> - Computer Report** screen, you can perform the following actions:
-
-- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
-- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
-- Assign categories and subcategories to a computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of a computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-- Double-click a computer name to view its associated dialog box. For more information, see [<Computer> Dialog Box](computer-dialog-box.md).
-
-
-
-
-
-
-
-
-
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md
index 67e74536c6..6668aa3041 100644
--- a/windows/plan/act-operatingsystem-device-report.md
+++ b/windows/plan/act-operatingsystem-device-report.md
@@ -1,64 +1,5 @@
---
title: OperatingSystem - Device Report (Windows 10)
-ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <OperatingSystem> - Device Report
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **<OperatingSystem> - Device Report** screen shows the following information for each device installed in your organization:
-
-- The model and manufacturer of the device.
-
-- The class of device, as reported by the device.
-
-- An evaluation from the device manufacturer of whether the device works on a 32-bit operating system or a 64-bit operating system.
-
-- The count of computers on which the device is installed.
-
-**To open the <OperatingSystem> - Device Report screen**
-
-1. In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
-
-2. In the **Quick Reports** pane, under an operating system heading, click **Devices**.
-
-## Using the <OperatingSystem> - Device Report Screen
-
-
-On the **<OperatingSystem> - Device Report** screen, you can:
-
-- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
-- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
-- Assign categories and subcategories to a device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of a device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-- Double-click a device name to view its associated dialog box. For more information, see [<Device> Dialog Box](device-dialog-box.md).
-
-
-
-
-
-
-
-
-
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md
index 02677af71d..2c3290db5b 100644
--- a/windows/plan/act-product-and-documentation-resources.md
+++ b/windows/plan/act-product-and-documentation-resources.md
@@ -1,62 +1,8 @@
---
title: ACT Product and Documentation Resources (Windows 10)
description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
-ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---
-
-# ACT Product and Documentation Resources
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
-
-## Information Related to the Application Compatibility Toolkit
-
-
-- [Microsoft SQL Server](http://go.microsoft.com/fwlink/p/?LinkId=184584). Use Microsoft SQL Server to take full advantage of ACT features. Visit the SQL Server home page for product information, technical resources, and support.
-
-- [Microsoft SQL Server Express Edition](http://go.microsoft.com/fwlink/p/?LinkId=690325). If you are not already running SQL Server, download a free version of SQL Server Express and its management tools.
-
-- [Microsoft System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=690326). Visit the System Center Configuration Manager home page for product information, technical resources, and support.
-
-- [Microsoft Application Verifier](http://go.microsoft.com/fwlink/p/?LinkId=52529). Application Verifier is required by the Standard User Analyzer tool.
-
-## Information About Application Compatibility
-
-
-- [Application Compatibility home page](http://go.microsoft.com/fwlink/p/?LinkId=184586). Go here for general application compatibility information, including videos, key resources, advice, and technical guidance.
-
-- [Windows Developer Center home page](http://go.microsoft.com/fwlink/p/?LinkId=184587). Find information about the Windows SDK, including how to develop your application, how to get help with compatibility issues, and other development-related content.
-
-## Information About Windows Deployment
-
-
-- [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618117). Download the latest version of the Microsoft Deployment Toolkit (MDT) to assist with image creation and automated installation, reduce deployment time, standardize desktop and server images, limit service disruptions, reduce post-deployment help desk costs, and improve security and ongoing configuration management.
-
-- [Windows website](http://go.microsoft.com/fwlink/p/?LinkId=731). Visit the Windows home page for product information, technical resources, and support.
-
-## Related topics
-
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[Using ACT](using-act.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md
index 6af88e476e..eaa5fec362 100644
--- a/windows/plan/act-settings-dialog-box-preferences-tab.md
+++ b/windows/plan/act-settings-dialog-box-preferences-tab.md
@@ -1,65 +1,5 @@
---
title: Settings Dialog Box - Preferences Tab (Windows 10)
description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
-ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Settings Dialog Box - Preferences Tab
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
-
-In the **Settings** dialog box, on the **Preferences** tab, use the following controls to join or leave the ACT Community, send ACT usage data to Microsoft, or be notified when there are updates available for ACT.
-
-**Yes, I want to join the ACT Community**
-If this check box is selected, you are a member of the ACT Community and can share application compatibility data with other ACT users.
-
-If this check box is cleared, you still receive compatibility data from the Microsoft compatibility database, but not from other ACT users.
-
-For more information about the ACT Community, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
-
-**Send ACT usage data to Microsoft**
-If this check box is selected, the following ACT usage data is sent to Microsoft:
-
-- The version of SQL Server being used by the ACT database.
-
-- The count of 32-bit or 64-bit computers in your organization.
-
-- The count of computers running a Windows operating system.
-
-- The operating systems you intend to deploy into your organization.
-
-- The count of computers to which you deployed data-collection packages.
-
-If this check box is cleared, your ACT usage data is not sent to Microsoft.
-
-**Notify me when a newer version of ACT is available (recommended)**
-If this check box is selected, ACM notifies you when an update is available for ACT.
-
-## Related topics
-
-
-[Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md
index 0f1b179b3c..30e7000dd2 100644
--- a/windows/plan/act-settings-dialog-box-settings-tab.md
+++ b/windows/plan/act-settings-dialog-box-settings-tab.md
@@ -1,66 +1,5 @@
---
title: Settings Dialog Box - Settings Tab (Windows 10)
description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
-ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Settings Dialog Box - Settings Tab
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
-
-In the **Settings** dialog box, on the **Settings** tab, use the following controls to modify the settings for your ACT database and ACT Log Processing Service.
-
-**SQL Server**
-Lists the database server name for the SQL Server database server that contains your ACT database.
-
-Click **Browse** to search for available database servers. A **Select Server** dialog box appears from which you can select the database server that contains your ACT database.
-
-**Database**
-Lists the database name of your ACT database.
-
-**Change**
-Opens the user interface where you can create, open, or migrate an ACT database.
-
-**This computer is configured as a Log Processing Service**
-If selected, indicates that this computer is used for the ACT Log Processing Service. Clear this check box to use a different computer to process the logs.
-
-If there is no designated ACT Log Processing Service, log processing defaults to the local computer.
-
-**Log Processing Service Account**
-Specifies the account information, including the account type and account credentials, to be used to start the ACT Log Processing Service.
-
-The account must have read and write access to the ACT database. For information about setting up database permissions for the ACT Log Processing Service, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
-
-**Log Share**
-Specifies the absolute path to the ACT Log Processing Service share where log files are processed. Click **Browse** to search for a location. The **Share as** box automatically updates to show the directory name.
-
-For information about ensuring that all computers can access the share, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
-
-## Related topics
-
-
-[Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-technical-reference.md b/windows/plan/act-technical-reference.md
index c05f03fc92..29e311a2f5 100644
--- a/windows/plan/act-technical-reference.md
+++ b/windows/plan/act-technical-reference.md
@@ -13,77 +13,37 @@ author: TrudyHa
**Applies to**
+- Windows 10, version 1607
+
+We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with Upgrade Analytics, a solution in the Microsoft Operations Management Suite. Upgrade Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
+
+Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+
+With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Analytics to get:
+- A visual workflow that guides you from pilot to production
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
+- Detailed computer and application inventory
-The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
+- Powerful computer level search and drill-downs
-By using ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before you deploy a version of Windows to your organization.
+- Guidance and insights into application and driver compatibility issues, with suggested fixes
-ACT is available in the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740).
+- Data driven application rationalization tools
+
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+
+- Data export to commonly used software deployment tools, including System Center Configuration Manager
+
+The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. For more information about Upgrade Analytics, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics)
+
+At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatiblility Administrator, which helps you to resolve potential compatibility issues.
## In this section
-
-
-
-
-
-Term
-Definition
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+|Topic |Description |
+|------|------------|
+|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
+|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
+|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
\ No newline at end of file
diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md
index 9a0d2b3e79..bd6b97dcde 100644
--- a/windows/plan/act-toolbar-icons-in-acm.md
+++ b/windows/plan/act-toolbar-icons-in-acm.md
@@ -1,233 +1,5 @@
---
title: Toolbar Icons in ACM (Windows 10)
description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
-ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Toolbar Icons in ACM
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Ratings Icons in ACM](ratings-icons-in-acm.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md
index bf9c2bf728..7e20751a4a 100644
--- a/windows/plan/act-tools-packages-and-services.md
+++ b/windows/plan/act-tools-packages-and-services.md
@@ -1,60 +1,5 @@
---
title: ACT Tools, Packages, and Services (Windows 10)
description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK.
-ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT Tools, Packages, and Services
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
-
-ACT includes the following:
-
-- **Application Compatibility Manager (ACM):** A tool that you can use to create your data-collection packages and analyze the collected inventory and compatibility data.
-
-- **Inventory-collector package:** A data-collection package that can be deployed to computers to gather inventory data that will be uploaded to the ACT database.
-
-- **Runtime-analysis package:** A data-collection package that can be deployed to computers in a test environment for compatibility testing on the new operating system.
-
-- **ACT Log Processing Service (LPS):** A service that is used to process the ACT log files uploaded from the computers where your data-collection packages have been installed. The service adds the information to your ACT database.
-
-- **ACT LPS share:** A file share that is accessed by the ACT LPS, to store the log files that will be processed and added to the ACT database.
-
-- **ACT database:** A Microsoft® SQL Server database that stores the collected inventory and compatibility data. You can use ACM to view the information stored in the ACT database.
-
-- **Microsoft Compatibility Exchange:** A web service that propagates application-compatibility issues.
-
-## Related topics
-
-
-[ACT Deployment Options](act-deployment-options.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[ACT Database Migration](act-database-migration.md)
-
-[ACT LPS Share Permissions](act-lps-share-permissions.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md
index ff28470715..affbef996f 100644
--- a/windows/plan/act-user-interface-reference.md
+++ b/windows/plan/act-user-interface-reference.md
@@ -1,74 +1,5 @@
---
title: ACT User Interface Reference (Windows 10)
description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
-ms.assetid: 303d3dd7-2cc1-4f5f-b032-b7e288b04893
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# ACT User Interface Reference
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).
-
-## In this section
-
-
-
-
-
-
-Icon
-Description
-Location
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Using ACT](using-act.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md
index dfa085659e..4640049e22 100644
--- a/windows/plan/activating-and-closing-windows-in-acm.md
+++ b/windows/plan/activating-and-closing-windows-in-acm.md
@@ -1,47 +1,8 @@
---
title: Activating and Closing Windows in ACM (Windows 10)
description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM).
-ms.assetid: 747bf356-d861-4ce7-933e-fa4ecfac7be5
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---
-
-# Activating and Closing Windows in ACM
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **Windows** dialog box shows the windows that are open in Application Compatibility Manager (ACM).
-
-**To view a list of the open windows in ACM**
-
-- On the **Window** menu, click **Windows**.
-
-**To show an open window in ACM**
-
-- In the **Windows** dialog box, click the window name from the list of open windows, and then click **Activate**.
-
- The selected window appears on top of any others on your screen.
-
-**To close one or more windows in ACM**
-
-- In the **Windows** dialog box, click one or more window names from the list of open windows, and then click **Close Window(s)**.
-
-## Related topics
-
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md
index f16e5237b2..b5a52a45c2 100644
--- a/windows/plan/adding-or-editing-a-solution.md
+++ b/windows/plan/adding-or-editing-a-solution.md
@@ -1,105 +1,5 @@
---
title: Adding or Editing a Solution (Windows 10)
description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
-ms.assetid: 86cb8804-d577-4af6-b96f-5e0409784a23
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Adding or Editing a Solution
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation.
-
-## Adding Solutions for Compatibility Issues with Your Applications and Websites
-
-
-You can view or add solutions only for applications or websites.
-
-**Note**
-The following examples use the **<Application\_Name>** dialog box. The procedures for websites are similar.
-
-
-
-**To add a solution**
-
-1. On the **<Operating\_System> - Application Report** screen, double-click the name of the application to display the **<Application\_Name>** dialog box.
-
-2. Click the **Issues** tab.
-
-3. On the **Actions** menu, click **Add Solution**.
-
-4. Enter the information from the following table, and then click **Save**.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**To edit an existing solution**
-
-1. On the **<Operating\_System> - Application Report** screen, double-click the name of the application to display the <Application\_Name> dialog box.
-
-2. Click the **Issues** tab.
-
-3. Double-click the issue that includes the solution that you want to modify.
-
-4. Click the **Solutions** tab.
-
-5. Double-click the solution to edit.
-
-6. Modify the information about the solution, and then click **Save**.
-
- **Note**
- You can only modify your own solutions. You cannot modify solutions entered by other users.
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md
index 75e4e67390..08d2098675 100644
--- a/windows/plan/adding-or-editing-an-issue.md
+++ b/windows/plan/adding-or-editing-an-issue.md
@@ -1,115 +1,5 @@
---
title: Adding or Editing an Issue (Windows 10)
description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
-ms.assetid: 8a9fff79-9f88-4ce2-a4e6-b9382f28143d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Adding or Editing an Issue
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover.
-
-You can use the Microsoft Compatibility Exchange to share compatibility information with others. For information about the Microsoft Compatibility Exchange, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-## Adding Issues for Your Applications and Websites
-
-
-You can view or add issues only for applications or websites.
-
-**Note**
-The following examples use the **<Application\_Name>** dialog box. The procedures are similar for websites.
-
-
-
-**To add an issue**
-
-1. On the **<Operating\_System> - Application Report** screen, double-click the name of the application to display the **<Application\_Name>** dialog box.
-
-2. On the **Actions** menu, click **Add Issue**.
-
-3. Enter the information from the following table, and then click **Save**.
-
-
-
-
-
- Field
- Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**To edit an existing issue**
-
-1. On the **<Operating\_System> - Application Report** screen, double-click the name of the application that includes the issue you want to modify.
-
-2. In the **<Application\_Name>** dialog box, click the **Issues** tab, and then double-click the specific issue to be edited.
-
-3. Modify the issue information, and then click **Save**.
-
- **Note**
- You can modify your own issues. You cannot modify issues entered by another user.
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md
index 30f6a43c24..2d69b55931 100644
--- a/windows/plan/analyzing-your-compatibility-data.md
+++ b/windows/plan/analyzing-your-compatibility-data.md
@@ -1,80 +1,5 @@
---
title: Analyzing Your Compatibility Data (Windows 10)
description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
-ms.assetid: b98f3d74-fe22-41a2-afe8-2eb2799933a1
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Analyzing Your Compatibility Data
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM).
-
-## In this section
-
-
-
-
-
-
- Field
- Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md
index c8d9515fa6..7615d0949e 100644
--- a/windows/plan/application-dialog-box.md
+++ b/windows/plan/application-dialog-box.md
@@ -1,126 +1,5 @@
---
title: Application Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application.
-ms.assetid: a43e85a6-3cd4-4235-bc4d-01e4d097db7e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <Application> Dialog Box
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *<Application>* dialog box shows information about the selected application.
-
-**To open the <Application> dialog box**
-
-1. In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2. Under an operating system heading, click **Applications**.
-
-3. Double-click the name of an application.
-
-## Tabs in the <Application> dialog box
-
-
-The following table shows the information available in the *<Application>* dialog box.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Using the <Application> Dialog Box
-
-
-In the **<Application>** dialog box, you can perform the following actions:
-
-- Select your compatibility rating for the application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
-- Select your deployment status for the application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
-- Assign categories and subcategories to the application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of the application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-- Choose whether to synchronize data for the application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
-
-- Add, edit, or resolve an issue for the selected application, and add or edit solutions. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
index 8076d0787c..a83be4fbc1 100644
--- a/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/plan/available-data-types-and-operators-in-compatibility-administrator.md
@@ -222,8 +222,6 @@ The following table shows the operators that you can use for querying your custo
## Related topics
-
-
[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md
index c9cc2ac741..33789da365 100644
--- a/windows/plan/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md
@@ -5,7 +5,7 @@ ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
keywords: best practices, USB, device, boot
ms.prod: w10
ms.mktglfcycl: plan
-pagetype: mobility
+ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md
index f00d576eee..e77b9ca34e 100644
--- a/windows/plan/categorizing-your-compatibility-data.md
+++ b/windows/plan/categorizing-your-compatibility-data.md
@@ -1,90 +1,5 @@
---
title: Categorizing Your Compatibility Data (Windows 10)
-ms.assetid: 6420f012-316f-4ef0-bfbb-14baaa664e6e
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Categorizing Your Compatibility Data
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-To customize and filter your compatibility reports, you can create categories and subcategories to assign to your applications, computers, devices, and websites. By default, Microsoft provides the following categories:
-
-- **Software Vendor**. In this category, you can, for example, create a subcategory for each vendor. You can then use this category to generate reports by software vendor, which can be helpful when having discussions with a specific vendor or evaluating the vendor’s performance relative to your compatibility requirements.
-
-- **Test Complexity**. You can use this category to help with planning and assigning test resources. You can, for example, create subcategories like Critical and Nice-to-Have.
-
-Categories are extensible, multiple-selection string values, so you can use them for almost anything. For example, you can create a category for signoff from multiple owners so that software can be authorized only when all categories have been selected, indicating that each group has signed off.
-
-As another example, you can create a category for unit of deployment. You can use subcategories such as Division and Region. You can use this category to track the software needs of a specific deployment unit. This way, you can see when the software required by the unit has been tested, approved, and is ready for deployment to the unit.
-
-**Note**
-The following examples use the **<Operating\_System> - Application Report** screen. You can alternatively use the **<Application\_Name>** dialog box. You can also complete these procedures in the reports for computers, devices, and websites.
-
-
-
-## Creating, Renaming, or Deleting Categories and Subcategories
-
-
-You can manage your categories and subcategories from both the report screen and report-details screen.
-
-**To create, rename, or delete a category or subcategory**
-
-1. On the **<Operating\_System> - Application Report** screen, click any application name.
-
-2. On the **Actions** menu, click **Assign Categories**.
-
-3. Click **Category List**.
-
-4. In the **Categories** or **Subcategories** area, do any or all of the following:
-
- - Add a category or subcategory, by clicking **Add**. Type the name of your new category or subcategory, and then click outside the active text area.
-
- You must create at least one subcategory before a category will appear in the **Assign Categories** dialog box.
-
- - Rename a category or subcategory, by selecting the item and then clicking **Rename**. Type the new name, and then click outside the active text area.
-
- - Delete a category or subcategory, by selecting the item and then clicking **Remove**.
-
-5. After you have finished adding, renaming, and deleting categories and subcategories, click **OK** to close the **Category List** dialog box.
-
-## Assigning Data to a Category and Subcategory
-
-
-You can assign categories and subcategories from both the report screen and report-details screen.
-
-**To assign and unassign categories and subcategories**
-
-1. On the **<Operating\_System> - Application Report** screen, click the application name.
-
-2. On the **Actions** menu, click **Assign Categories**.
-
-3. To assign a category, select the check box next to the applicable category or subcategory.
-
- To unassign a category, clear the check box.
-
-4. Click **OK**.
-
- You can use the query builder to filter based on this information.
-
-
-
-
-
-
-
-
-
+description: Steps to customize and filter your compatibility reports through categories and subcategories.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 4f0b96a684..3fdb201110 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,6 +13,14 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## July 2016
+
+
+| New or changed topic | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
+| [Windows 10 servicing overview](windows-10-servicing-options.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md) page. |
+
## May 2016
diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md
index 4e96594b85..0883298316 100644
--- a/windows/plan/common-compatibility-issues.md
+++ b/windows/plan/common-compatibility-issues.md
@@ -1,58 +1,6 @@
---
title: Common Compatibility Issues (Windows 10)
ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Common Compatibility Issues
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Compatibility issues tend to occur with the following technologies:
-
-- **User Account Control (UAC)**: Adds security to Windows by limiting administrator-level access to the computer, restricting most users to running as Standard Users. UAC limits the context in which a process executes to minimize the ability of the user to inadvertently expose the computer to viruses or other malware. UAC affects any application installer or update that requires Administrator permissions to run, performs Administrator checks or actions, or attempts to write to a non-virtualized registry location.
-
-- **Windows Resource Protection (WRP)**: Enables applications to function properly even if an application attempts to write to protected system files or registry locations. WRP creates a temporary work area and redirects write actions for the application session. WRP affects any application installation that attempts to replace, modify, or delete protected operating system files or registry keys. Attempts typically fail and return an Access Denied error.
-
-- **Internet Explorer Protected Mode**: Helps to defend against elevation-of-privilege attacks by restricting the ability to write to any local-computer-zone resources other than temporary Internet files. This mode affects any website or web application that attempts to modify user files or registry keys or that attempts to open a new window in another domain.
-
-- **Deprecation**: Any application that uses .dll files, executable (.exe) files, COM objects, registry keys, APIs, or other files that have been deprecated from previous versions of Windows may lose functionality or fail to start.
-
-- **Graphical Identification and Authentication (GINA) DLL**: Prior to the release of Windows Vista, independent software vendors (ISVs) were able to modify authentication by installing a GINA DLL. The GINA DLL performed the user identification and authentication.
-
- The current authentication model does not require the GINA DLL and ignores all previous GINA DLLs. This change affects any application or hardware component that attempts to log on by using customized logon applications, including biometric devices (fingerprint readers), customized user interfaces, and virtual private network (VPN) solutions for remote users with customized logon user interfaces.
-
-- **Session 0**: Prior to the release of Windows Vista, the first user who logged on to a computer ran in Session 0, which is the same session that is used for system services. The current model requires all users to run in Session 1 or later so that no user runs in the same session as the system services. Applications will fail to start if they depend on *interactive services*. An interactive service is any service that attempts to send a window message, attempts to locate a window or additional service, or attempts to run any user processes that open the same named object, unless it is a globally named object.
-
-- **Windows Filtering Platform (WFP)**: WFP is an API that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of the WFP API in your environment, you might experience failures when running network-scanning, antivirus, or firewall applications.
-
-- **Operating System Version Changes**: The operating system version number changes with each operating system release. The **GetVersion** function returns the version number when queried by an application. This change affects any application or application installer that specifically checks for the operating system version and might prevent the installation from occurring or the application from running.
-
-- **Windows 64-bit**: 64-bit versions of Windows use the Windows on Windows 64 (WOW64) emulator. This emulator enables the 64-bit operating system to run 32-bit applications. The use of this emulator might cause an application or a component that uses 16-bit executables or installers, or 32-bit kernel drivers, to fail to start or to function incorrectly.
-
-## Related topics
-
-
-[Using Compatibility Monitor to Send Feedback](using-compatibility-monitor-to-send-feedback.md)
-
-
-
-
-
-
-
-
-
+description: List of common compatibility issues, based on the type of technology.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
index f608310bd6..fe4aede4bb 100644
--- a/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/plan/compatibility-fix-database-management-strategies-and-deployment.md
@@ -161,15 +161,4 @@ End Function
Most of your testing of application-compatibility issues will happen prior to the deployment of a new Windows operating system into your environment. As such, a common approach is to include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Then, as you update your compatibility-fix database, you can provide the updates by using one of the two mechanisms described in the "Deploying Your Custom Compatibility Fix Databases" section earlier in this topic.
## Related topics
-
-
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-
-
-
-
-
-
-
-
-
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
\ No newline at end of file
diff --git a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 688cf0a0d5..9e9c9f6ada 100644
--- a/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -1009,15 +1009,4 @@ The following table lists the known compatibility modes.
-
-
-
-Tab
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md
index b191d79a79..89054bac9a 100644
--- a/windows/plan/computer-dialog-box.md
+++ b/windows/plan/computer-dialog-box.md
@@ -1,109 +1,5 @@
---
title: Computer Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer.
-ms.assetid: f89cbb28-adcd-41cd-9a54-402bc4aaffd9
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <Computer> Dialog Box
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *<Computer>* dialog box shows information about the selected computer.
-
-**To open the <Computer> dialog box**
-
-1. In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2. Under an operating system heading, click **Computers**.
-
-3. Double-click the name of a computer.
-
-## Tabs in the <Computer> dialog box
-
-
-The following table shows the information available in the *<Computer>* dialog box.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-## Using the <Computer> Dialog Box
-
-
-In the *<Computer>* dialog box, you can perform the following actions:
-
-- Assign categories and subcategories to the computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of the computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md
index f5803ddd81..372e1dcaf1 100644
--- a/windows/plan/configuring-act.md
+++ b/windows/plan/configuring-act.md
@@ -1,90 +1,5 @@
---
title: Configuring ACT (Windows 10)
description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
-ms.assetid: aacbe35e-ea40-47ac-bebf-ed2660c8fd86
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Configuring ACT
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.
-
-## In this section
-
-
-
-
-
-
-Tab
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Welcome to ACT](welcome-to-act.md)
-
-[Using ACT](using-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[ACT User Interface Reference](act-user-interface-reference.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-[ACT Glossary](act-glossary.md)
-
-[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
index a88189a7a2..90b404e888 100644
--- a/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+++ b/windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -69,8 +69,6 @@ If you are unable to find a preloaded compatibility fix for your application, yo
By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application.
## Related topics
-
-
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index ac5091d0bb..789f3199ca 100644
--- a/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -74,8 +74,6 @@ A compatibility mode includes a set of compatibility fixes and must be deployed
The compatibility mode is added to your custom database.
## Related topics
-
-
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md
index 04411a5fa7..e6b56c752b 100644
--- a/windows/plan/creating-a-runtime-analysis-package.md
+++ b/windows/plan/creating-a-runtime-analysis-package.md
@@ -1,59 +1,8 @@
---
title: Creating a Runtime-Analysis Package (Windows 10)
description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
-ms.assetid: 3c703ebe-46b3-4dcd-b355-b28344bc159b
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---
-
-# Creating a Runtime-Analysis Package
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment.
-
-**To create a runtime-analysis package**
-
-1. In ACM, click **Collect** to open the Collect screen.
-
-2. On the **File** menu, click **New**.
-
-3. Click **Runtime application testing**.
-
-4. Provide the information that is requested for the package, and then click **Create**.
-
-5. Navigate to the location where you want to save the Windows installer (.msi) file for the package.
-
- This .msi file is the file that you can use to install the runtime-analysis package on each computer in your test environment.
-
-6. Type a file name for the .msi file, and then click **Save**.
-
-7. Click **Finish**.
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
-
-
diff --git a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
index 5b48ebdbb8..f63dd95d8f 100644
--- a/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -89,15 +89,4 @@ The following issues might occur with computers running Windows 2000:
- Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text.
## Related topics
-
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
index 840fa87695..2953ad9c9f 100644
--- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
+++ b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md
@@ -1,115 +1,5 @@
---
title: Creating an Enterprise Environment for Compatibility Testing (Windows 10)
description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment.
-ms.assetid: cbf6d8b6-7ebc-4faa-bbbd-e02653ed4adb
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Creating an Enterprise Environment for Compatibility Testing
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. Your test environment is composed of computers on which the new operating system is installed. Your test environment can be a long-term investment. Consider retaining the test environment after deployment to assist in future deployment projects.
-
-## Modeling the Production Environment
-
-
-We recommend the following practices for setting up your test environment:
-
-- Physically separate your test environment from your production environment. Physical separation helps ensure that activity in the test environment does not affect the production environment.
-
-- On the computers in your test environment, install the new operating system.
-
-- Perform all of your tests by using accounts that have similar permissions to the accounts in your production environment. This approach helps to ensure that you can determine potential security issues.
-
-## Configuring the Test Environment for Automated Testing
-
-
-Typically, tests are run more than once, which requires being able to revert your test environment to a previous state. We recommend the following practices to ensure consistency in testing and consistency in restoring the state of your test environment:
-
-- Use disk-imaging software to create physical disk images.
-
-- Use software virtualization features to reverse changes to virtualized hard disks.
-
-## Determining When Virtualization Is Appropriate
-
-
-The following table shows some of the advantages and disadvantages of virtualization.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Testing Methodology
-
-
-When testing an application in a new operating system, we recommend the following methods:
-
-- Retain the default security-feature selections.
-
-- Use test automation tools to run your test cases in a consistent, reproducible way.
-
-- Use your application in the same way that you use it in your production environment.
-
-- Use the Compatibility Monitor tool in the runtime-analysis package to gather compatibility feedback.
-
-- Send and receive compatibility data to obtain data and solutions through the Microsoft Compatibility Exchange.
-
-- When testing a website or a web application, include both intranet and extranet sites, prioritizing the list based on how critical the site or the application is to your organization.
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md
index c174e746e0..c52e8f3965 100644
--- a/windows/plan/creating-an-inventory-collector-package.md
+++ b/windows/plan/creating-an-inventory-collector-package.md
@@ -1,58 +1,5 @@
---
title: Creating an Inventory-Collector Package (Windows 10)
description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package.
-ms.assetid: 61d041d6-e308-47b3-921b-709d72926d6d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Creating an Inventory-Collector Package
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can use Application Compatibility Manager (ACM) to create an inventory-collector package. You can then deploy the inventory-collector package to other computers to gather inventory data. The package uploads inventory data to the Application Compatibility Toolkit (ACT) database.
-
-**To create an inventory-collector package**
-
-1. In ACM, click **Collect** to open the **Collect** screen.
-
-2. On the **File** menu, click **New**.
-
-3. Click **Application inventory**.
-
-4. Provide the information that is requested for the package, and then click **Create**.
-
-5. Browse to the location where you want to save the Windows® Installer (.msi) file for the package.
-
- You can use this .msi file to install the inventory-collector package on each computer for which you want to gather inventory data.
-
-6. Type a file name for the .msi file, and then click **Save**.
-
-7. Click **Finish**.
-
-## Related topics
-
-
-[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
-
-[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md
index 0ce76a3f2f..e1897a0122 100644
--- a/windows/plan/creating-and-editing-issues-and-solutions.md
+++ b/windows/plan/creating-and-editing-issues-and-solutions.md
@@ -1,65 +1,5 @@
---
title: Creating and Editing Issues and Solutions (Windows 10)
description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
-ms.assetid: b64fe4e0-24bd-4bbd-9645-80ae5644e774
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Creating and Editing Issues and Solutions
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange.
-
-## In this section
-
-
-
-
-
-
-Advantages
-Disadvantages
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md
index a68961a2e6..1c69e77305 100644
--- a/windows/plan/customizing-your-report-views.md
+++ b/windows/plan/customizing-your-report-views.md
@@ -1,149 +1,5 @@
---
title: Customizing Your Report Views (Windows 10)
description: You can customize how you view your report data in Application Compatibility Manager (ACM).
-ms.assetid: ba8da888-6749-43b4-8efb-4f26c7954721
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Customizing Your Report Views
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can customize how you view your report data in Application Compatibility Manager (ACM).
-
-## Modifying the <Operating\_System> Reports View
-
-
-You can choose which operating systems ACM shows in the compatibility reports. For operating systems that you exclude from the reports, the data continues to be collected but ACM does not display it.
-
-If you are using ACM on multiple computers that access the same ACT database, when you remove an operating system from your reports, all of the computers running ACM no longer show the operating system.
-
-**To add or remove an operating system from the Quick Reports pane**
-
-1. On the **Analyze** screen, at the bottom of the **Quick Reports** pane, click **Customize this view**.
-
-2. In the **Deployment Reports** area, select the check boxes for the operating systems you want to show in your reports, and then click **OK**.
-
-3. Select the architectures, **32-bit**, **64-bit**, or **Both**, for which you want to see compatibility ratings in the report screens.
-
-## Adding and Removing Columns from the Report Views
-
-
-You can add and remove columns from most of the report screens. In the report dialog boxes, you cannot add or remove columns, but you can reorder the columns.
-
-**To add or remove a column**
-
-1. On the selected report screen, right-click the column headings, and then click **Column Options**.
-
-2. Select the check box next to any column that you want to add, and clear the check box next to any column that you want to remove.
-
-3. If you want, reorder the columns by using the **Move Up** and **Move Down** buttons.
-
-4. Click **OK**.
-
-### Columns by Screen
-
-The following table shows the columns that are available for each screen.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
index 8bb30d37a8..97e2f14378 100644
--- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
+++ b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md
@@ -1,239 +1,5 @@
---
title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10)
description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
-ms.assetid: 3ec61e33-9db8-4367-99d5-e05c2f50e144
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Data Sent Through the Microsoft Compatibility Exchange
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community.
-
-## Data Sent to Microsoft
-
-
-During synchronization, the Microsoft Compatibility Exchange sends the following information to Microsoft Corporation:
-
-- **Application information and properties**. This data includes the application name, the vendor, the version number, the language, and the deployment type.
-
-The data-synchronization process does not send your list of URLs visited as part of the information exchange.
-
-## Data Sent to the ACT Community
-
-
-The Microsoft Compatibility Exchange sends the following information to the ACT Community for each application that you decide to share with the ACT Community:
-
-- **Application information and properties**. This data includes the application name, the vendor, the version number, the language, and the deployment type.
-
-- **Miscellaneous data**. This data includes:
-
- - The database GUID that identifies the organization that is the source of the data.
-
- - The issue data.
-
- - The issue ID.
-
- - The platform and destination operating system.
-
- - The severity.
-
- - The cause.
-
- - The symptom.
-
- - The solution data.
-
- - The solution type.
-
- - The issue and solution provider.
-
- - The issue and solution subprovider.
-
- - The issue and solution published date.
-
- - Your risk assessment.
-
-The data-synchronization process does not send your list of URLs visited as part of the information exchange.
-
-## Data Matching
-
-
-After you send your data, the Microsoft Compatibility Exchange matches your application properties against the known issues listed in the Application Profile database. The Microsoft Compatibility Exchange downloads any issues and corresponding solutions that match your application set and then stores the information in your ACT database.
-
-## Data Sent From Microsoft and ISVs
-
-
-For each application that matches an application in the Application Profile database, the Microsoft Compatibility Exchange returns the following information, provided by authoritative sources including Microsoft Corporation and independent software vendors (ISVs).
-
-
-
-
-
-Screen
-Default columns
-Additional columns
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Data Sent From the ACT Community
-
-
-For each application that matches an application in the Application Profile database, the Microsoft Compatibility Exchange returns the following ACT Community information, which you receive only if you are a member of the ACT Community:
-
-
-
-
-
-Data
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
-
-[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
index 0bf24136b1..d4d3319cbc 100644
--- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
+++ b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md
@@ -1,54 +1,5 @@
---
title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10)
description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
-ms.assetid: e495d0c8-bfba-4537-bccd-64c4b52206f1
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deciding Whether to Fix an Application or Deploy a Workaround
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can fix a compatibility issue by changing the code for the application or by deploying a workaround.
-
-## Fixing an Application
-
-
-Fixing an application by changing the code is often the recommended way to address a compatibility issue. Although applying a fix to the code might involve higher initial costs or additional development time, it can limit long-term maintenance or operational costs. After you change the code, all users can use the application without encountering the issue.
-
-If you do not have access to the code, or if you do not have the time and resources to apply a fix, an alternative approach is to deploy a workaround.
-
-## Deploying a Workaround
-
-
-A workaround involves applying alternative registry settings to address a compatibility issue. Deploying a workaround might be quicker and easier than changing the code, but you can incur long-term maintenance or operational costs. For example, you must make sure that new users have the correct set of features enabled or disabled on their computers. Using a workaround might also make your application or systems less secure. However, the overall security enhancement associated with deploying the newer version of Windows® may more than offset this reduction in security.
-
-Consider changing registry settings as a short-term solution while you develop the long-term solution of changing the code.
-
-## Related topics
-
-
-[SUA User's Guide](sua-users-guide.md)
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md
index a0d4d06986..4b548c65f6 100644
--- a/windows/plan/deciding-which-applications-to-test.md
+++ b/windows/plan/deciding-which-applications-to-test.md
@@ -1,54 +1,5 @@
---
title: Deciding Which Applications to Test (Windows 10)
description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
-ms.assetid: d7c1c28f-b7b4-43ac-bf87-2910a2b603bf
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deciding Which Applications to Test
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing.
-
-**To choose the applications to include in compatibility testing**
-
-1. Gather your application and device inventory. For more information, see [Taking Inventory of Your Organization](taking-inventory-of-your-organization.md).
-
-2. Use the Microsoft Compatibility Exchange to get the latest compatibility ratings. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-3. Organize and group your applications, and determine which applications need to be tested. For more information, see [Organizing Your Compatibility Data](organizing-your-compatibility-data.md).
-
- After completing these steps, you can then start creating and deploying your runtime-analysis packages to the test environment for your compatibility testing.
-
-## Related topics
-
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Deploying a Runtime-Analysis Package](deploying-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md
index 002a431377..c5401542c9 100644
--- a/windows/plan/deleting-a-data-collection-package.md
+++ b/windows/plan/deleting-a-data-collection-package.md
@@ -1,52 +1,5 @@
---
title: Deleting a Data-Collection Package (Windows 10)
description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
-ms.assetid: 1b397d7a-7216-4078-93d9-47c7becbf73e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deleting a Data-Collection Package
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database.
-
-You cannot undo the deletion of a data-collection package. If you mistakenly delete a data-collection package, you must create a new package to replace the deleted package.
-
-**To delete a data-collection package**
-
-1. In ACM, click **Collect** to open the Collect screen.
-
-2. Select the data-collection package that you want to delete, and then press the DELETE key.
-
-3. In the confirmation box, click **Yes**.
-
-## Related topics
-
-
-[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-
-[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-
-[Labeling Data in ACM](labeling-data-in-acm.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md
index dd53f66282..590e3606e6 100644
--- a/windows/plan/deploy-windows-10-in-a-school.md
+++ b/windows/plan/deploy-windows-10-in-a-school.md
@@ -142,7 +142,7 @@ You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 6
>**Note:** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
-For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com//library/dn759415.aspx#InstallingaNewInstanceofMDT).
Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
@@ -336,7 +336,7 @@ Now that you have an Office 365 subscription, you need to determine how you will
In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
->**Note:** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+>**Note:** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com//library/dn510997.aspx?f=255&MSPPError=-2147217396).
@@ -385,7 +385,7 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
*Figure 7. Azure AD Connect in Azure*
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com//library/dn635310.aspx).
### Deploy Azure AD Connect on premises
@@ -436,8 +436,8 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|Method | Description and reason to select this method |
|-------| ---------------------------------------------|
-|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com//scriptcenter/dd939958.aspx).|
|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
-
-
-
-Data
-Description
-
-
-
-
-
-
-
-
1. Import operating systems
-Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
+Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
@@ -724,8 +724,8 @@ If you have Intune, you can deploy Windows Store apps after you deploy Windows 1
In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:2. Import device drives
Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
-Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
-
@@ -737,11 +737,11 @@ In addition, you must prepare your environment for sideloading (deploying) Windo
You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
@@ -757,7 +757,7 @@ For more information about how to create an MDT application for Window desktop a
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com//library/jj219423.aspx?f=255&MSPPError=-2147217396).
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
**Note:** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
@@ -782,9 +782,9 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
- [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
- The Windows Deployment Services Help file, included in Windows Deployment Services
- - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com//library/jj648426.aspx)
-2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
-For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).Use of Microsoft accounts
You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
@@ -905,7 +905,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
**Note:** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com//library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
@@ -913,7 +913,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Restrict local administrator accounts on the devices
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).
**Intune**. Not available.
@@ -921,7 +921,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Restrict the local administrator accounts on the devices
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).
**Intune**. Not available.
@@ -929,7 +929,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Manage the built-in administrator account created during device deployment
When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
-**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).
+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com//library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com//library/jj852165.aspx).
**Intune**. Not available.
@@ -953,7 +953,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Control Windows Store access
You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
-**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com//library/hh832040.aspx#BKMK_UseGP).
**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
@@ -989,13 +989,13 @@ Microsoft has several recommended settings for educational institutions. Table 1
Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
-For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com//library/cc754948.aspx).
#### To configure Group Policy settings
-1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
-2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
-3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx).
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com//library/cc738830.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com//library/cc739902.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com//library/cc738954(v=ws.10).aspx).
### Configure settings by using Intune
@@ -1006,9 +1006,9 @@ For more information about Intune, see [Documentation for Microsoft Intune](http
#### To configure Intune settings
1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
-2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx).
-3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx).
-4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx).
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com//library/dn646962.aspx).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com//library/dn646984.aspx).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com//library/dn646959.aspx).
### Deploy apps by using Intune
@@ -1041,14 +1041,14 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
->**Note:** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
+>**Note:** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com//library/dn781089.aspx).
In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
#### To deploy Windows 10
1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
-2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com//library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
### Set up printers
diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md
index bf01c5258c..38f478a9b9 100644
--- a/windows/plan/deploying-a-runtime-analysis-package.md
+++ b/windows/plan/deploying-a-runtime-analysis-package.md
@@ -1,48 +1,5 @@
---
title: Deploying a Runtime-Analysis Package (Windows 10)
description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
-ms.assetid: 304bf0be-0e7c-4c5f-baac-bed7f8bef509
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deploying a Runtime-Analysis Package
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing.
-
-For information about creating the test environment, see [Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md).
-
-To deploy a runtime-analysis package, you can use the same deployment methods that you might use to deploy an inventory-collector package. For information about deployment methods, see [Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md).
-
-## Related topics
-
-
-[Deciding Which Applications to Test](deciding-which-applications-to-test.md)
-
-[Creating an Enterprise Environment for Compatibility Testing](creating-an-enterprise-environment-for-compatibility-testing.md)
-
-[Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md)
-
-[Compatibility Monitor User's Guide](compatibility-monitor-users-guide.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md
index 406a2823fd..784ecd61b4 100644
--- a/windows/plan/deploying-an-inventory-collector-package.md
+++ b/windows/plan/deploying-an-inventory-collector-package.md
@@ -1,142 +1,5 @@
---
title: Deploying an Inventory-Collector Package (Windows 10)
-ms.assetid: 8726ff71-0d17-4449-bdb7-66957ae51c62
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-author: TrudyHa
----
-
-# Deploying an Inventory-Collector Package
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can use the following methods to deploy an inventory-collector package to the destination computers:
-
-- **Group Policy Software Installation.** This is a feature of Active Directory Domain Services in Windows Server. All computers to which you deploy the package must be part of the Active Directory forest.
-
-- **Logon script.** You can use Windows Script Host to create a logon script. Installing by using a logon script requires administrator credentials on the local computer.
-
-- **Microsoft® System Center Configuration Manager.** For information about how to use System Center Configuration Manager, see the product documentation.
-
-- **Manual distribution.** You can use a file server on the network as a software distribution point, or you can distribute removable media. User installation of an inventory-collector package requires administrator credentials on the local computer.
-
-**To deploy an inventory-collector package by using Group Policy Software Installation**
-
-1. Ensure that the computers to which you want to deploy the inventory-collector package are members of the Active Directory forest.
-
-2. Create a Group Policy Object (GPO) for publishing the inventory-collector package.
-
-3. Assign the GPO to the organizational units (OUs) that contain the set of computers.
-
-4. Create and publish a new software installation package by using Group Policy Software Installation.
-
- For information about the Group Policy Software Installation process, see [Best practices for Group Policy Software Installation](http://go.microsoft.com/fwlink/p/?LinkId=87996).
-
-**To assign a logon script for installing an inventory-collector package to an organizational unit**
-
-1. Create the logon script. The following script is an example.
-
- ``` syntax
- Set ws = WScript.CreateObject("WScript.Shell")
- ws.Run("\\servername\collector\package_name.exe")
- ```
-
- To keep the installation from running repeatedly, your script must create a marker.
-
- For more information about logon scripts, see [Assign a Logon Script to a User in the Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=87997).
-
-2. Save your script in the SYSVOL\\Scripts folder.
-
-3. Open the Active Directory Users and Computers console by clicking **Start**, clicking **All Programs**, clicking **Administrative Tools**, and then clicking **Active Directory Users and Computers**.
-
-4. Right-click the OU to which you intend to assign the logon script, click **Properties**, and then click the **Group Policy** tab.
-
-5. Click **New** to add a new GPO, or select an existing GPO and then click **Edit**.
-
-6. In the left pane, expand the **User Configuration** object, expand the **Windows Setting** object, and then click **Scripts (Logon/Logoff)**.
-
-7. In the right pane, double-click the **Logon** script.
-
-8. Click **Add**.
-
-9. Click **Browse**, browse to the \\\\*<domain>*\\Sysvol\\Scripts folder, select your script, and then click **Open**.
-
-10. Click **OK** to close the **Logon Properties** dialog box.
-
-11. Close the Group Policy Management console and the Active Directory Users and Computers console.
-
-12. On a computer that is a member of the domain and a part of the OU, log on as an OU user.
-
-13. Open a **Command Prompt** window, and then type `GPUPDATE /force` to force the update of the Group Policy setting.
-
-14. At the command prompt, type `RSOP.msc` to verify your Group Policy assignment.
-
-15. In the left pane, expand the **Computer Configuration** object, expand the **Windows Setting** object, and then click **Security Settings**.
-
-16. Expand **Account Policies**, click **Password Policy**, and verify the assigned Group Policy setting.
-
-17. Close the Resultant Set of Policy console and the **Command Prompt** window.
-
-**To deploy an inventory-collector package by using System Center Configuration Manager**
-
-1. Verify that the computers to which you want to deploy the package are included in your Configuration Manager inventory.
-
-2. Create a Configuration Manager computer collection that includes the computers.
-
-3. Create a shared folder that contains the source image of the inventory-collector package.
-
-4. Create a Configuration Manager package that is based on the source image from the shared folder.
-
- For more information, see [How to Create a Package](http://go.microsoft.com/fwlink/p/?LinkId=131355).
-
-5. Specify the Configuration Manager software distribution points.
-
-6. Create a Configuration Manager program that includes the required commands and command-line options to deploy the inventory-collector package.
-
- For more information, see [How to Create a Program](http://go.microsoft.com/fwlink/p/?LinkId=131356).
-
-7. Create a Configuration Manager advertisement that instructs Configuration Manager clients to run the program that you specified in the previous step.
-
- For more information, see [How to Create an Advertisement](http://go.microsoft.com/fwlink/p/?LinkId=131357).
-
-**To deploy an inventory-collector package from a network share**
-
-1. Store your package (.msi) file in a shared folder on the network.
-
-2. Notify the users of the computers that require the inventory-collector package to run the .msi file. For example, you might send an email message that includes a hyperlink to the shared folder.
-
-**To deploy an inventory-collector package to offline computers**
-
-1. In your inventory-collector package, specify a local output path for the log file.
-
-2. Burn your.msi file to removable media.
-
-3. Send the removable media to users of the offline computers.
-
-4. Instruct the users to run the .msi file and then return the generated log file. For example, the users might send the log file in an email message or place the file on a network share.
-
-## Related topics
-
-
-[Identifying Computers for Inventory Collection](identifying-computers-for-inventory-collection.md)
-
-[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
-
-
-
-
-
-
-
-
-
+description: How to deploy an inventory-collector package to your destination computers.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/device-dialog-box.md b/windows/plan/device-dialog-box.md
index 7cd1c0d3ec..5d32e55b8f 100644
--- a/windows/plan/device-dialog-box.md
+++ b/windows/plan/device-dialog-box.md
@@ -1,90 +1,5 @@
---
title: Device Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device.
-ms.assetid: 5bd7cfda-31ea-4967-8b64-6c0425092f4e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <Device> Dialog Box
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *<Device>* dialog box shows information about the selected device.
-
-**To open the <Device> dialog box**
-
-1. In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2. Under an operating system heading, click **Devices**.
-
-3. Double-click the name of a device.
-
-## Tabs in the <Device> dialog box
-
-
-The following table shows the information available in the *<Device>* dialog box.
-
-Use of audio recording
Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
-**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).
+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com//library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com//library/ee791899.aspx).
**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
-
-
-
-
-## Using the <Device> Dialog Box
-
-
-In the *<Device>* dialog box, you can perform the following actions:
-
-- Assign categories and subcategories to the device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of the device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-
-
-
-
-
-
-
-
+description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
+---
\ No newline at end of file
diff --git a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index 85c5e0ba27..7bcd802f03 100644
--- a/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -60,15 +60,4 @@ You can enable your disabled compatibility fixes at any time.
2. On the **Database** menu, click **Enable Entry**.
## Related topics
-
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md
index 7b7732863d..8494d2a4b1 100644
--- a/windows/plan/example-filter-queries.md
+++ b/windows/plan/example-filter-queries.md
@@ -1,79 +1,5 @@
---
title: Example Filter Queries (Windows 10)
description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
-ms.assetid: eae59380-56cc-4d57-bd2c-11a0e3c689c9
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Example Filter Queries
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can filter your compatibility-issue data or reports by selecting specific restriction criteria.
-
-## Example Queries
-
-
-The following sections show example queries created by using the Query Builder.
-
-### All Applications with Issues
-
-The following example query returns all applications that have one or more known issues.
-
-
-
-### All Applications with Solutions for Known Issues
-
-The following example query returns all applications that have solutions for their known issues.
-
-
-
-### All Applications with Specific Solution Types
-
-The following example query returns all applications that have a solution type of Application Update or Application Configuration.
-
-
-
-### All Applications with No Known Issues
-
-The following example query returns all applications that have no known issues.
-
-
-
-### All Applications with No Active Issues
-
-The following example query returns all applications that have no active issues.
-
-
-
-### All Applications Appearing in a Specific Category and Subcategory
-
-The following example query returns all applications that have a category of Department and a subcategory of either Human Resources or Finance.
-
-
-
-## Related topics
-
-
-[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md
index 5baee693f6..e3b5a9ce64 100644
--- a/windows/plan/exporting-a-data-collection-package.md
+++ b/windows/plan/exporting-a-data-collection-package.md
@@ -1,54 +1,5 @@
---
title: Exporting a Data-Collection Package (Windows 10)
description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
-ms.assetid: 98fe19e4-9533-4ffc-a275-8b3776ee93ed
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Exporting a Data-Collection Package
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data.
-
-You can export only one data-collection package at a time.
-
-**To export a data-collection package**
-
-1. In ACM, click **Collect** to open the Collect screen.
-
-2. Select the data-collection package that you want to export.
-
-3. On the **File** menu, click **Export**.
-
-4. Navigate to the folder where you want to store the Windows installer (.msi) file for the data-collection package, and then click **Save**.
-
-## Related topics
-
-
-[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-
-[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-
-[Labeling Data in ACM](labeling-data-in-acm.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md
index fcc724c2d5..83040f196c 100644
--- a/windows/plan/filtering-your-compatibility-data.md
+++ b/windows/plan/filtering-your-compatibility-data.md
@@ -1,115 +1,5 @@
---
title: Filtering Your Compatibility Data (Windows 10)
description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
-ms.assetid: b64267b5-83c0-4b4d-a075-0975d3a359c8
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Filtering Your Compatibility Data
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria.
-
-The following table shows the columns in Query Builder.
-
-
-
-
-
-Tab
-Information
-
-
-
-
-
-
-
-
-
-
-
-
-## Creating Basic Queries
-
-
-You can insert as many query clauses as you want to create a customized view of your compatibility data.
-
-**Note**
-The following examples use the **<Operating\_System> - Application Report** screen. The process is the same for other report types.
-
-
-
-**To create a basic query**
-
-1. On the **<Operating\_System> - Application Report** screen, click **Toggle Filter**.
-
-2. In the Query Builder, enter your filter criteria, pressing the Tab key to add clauses.
-
- To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3. Click **Refresh**.
-
- Your filtered results appear. To close the Query Builder, click **Toggle Filter** again.
-
-## Querying on Objects
-
-
-You can query your compatibility data based on its relationship with other objects. For example, in the applications report, you can query for applications that have corresponding issues. Fields that have a (+) suffix in Query Builder are collections of objects.
-
-**To query for a collection of objects**
-
-1. In Query Builder, in the **Field** column, click any field that contains a plus sign (+) as suffix.
-
-2. In the **Operator** column, select **Exists**, **Not Exists**, or **All Have**.
-
- Query Builder creates a group clause, which is shown by a bracket that spans the rows that are included in the group.
-
-3. Move your cursor to the next row in the group clause, and then in the **Field** column, select a field.
-
-4. In the **Operator** column, select an operator.
-
-5. In the **Value** column, enter a value, and then click **Refresh**.
-
-## Related topics
-
-
-[Example Filter Queries](example-filter-queries.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md
index b7f338d5ac..50f8032d64 100644
--- a/windows/plan/fixing-compatibility-issues.md
+++ b/windows/plan/fixing-compatibility-issues.md
@@ -1,78 +1,5 @@
---
title: Fixing Compatibility Issues (Windows 10)
description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
-ms.assetid: 30ba8d14-a41a-41b3-9019-e8658d6974de
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Fixing Compatibility Issues
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues.
-
-## In this section
-
-
-
-
-
-
-Column
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md
index a7378b9820..524304a7cf 100644
--- a/windows/plan/identifying-computers-for-inventory-collection.md
+++ b/windows/plan/identifying-computers-for-inventory-collection.md
@@ -1,104 +1,5 @@
---
title: Identifying Computers for Inventory Collection (Windows 10)
-ms.assetid: f5bf2d89-fff2-4960-a153-dc1146b442fb
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-author: TrudyHa
----
-
-# Identifying Computers for Inventory Collection
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-An inventory-collector package gathers inventory data from the computers on which it is installed. This data includes the following:
-
-- **System inventory.** Information about the client computer. This information includes the memory capacity, the processor speed, and the processor architecture.
-
-- **Device inventory.** Information about the devices that are installed on the client computer. This information includes the model, the manufacturer, and the device class.
-
-- **Software inventory.** An inventory of the applications that are installed on the computer. This information includes system technologies such as Windows® Installer.
-
-To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead.
-
-If you decide to deploy inventory-collector packages to representative subsets of computers in your organization, consider the following:
-
-- [Managed and Unmanaged Environments](#bmk-managedunmanaged)
-
-- [Role-Based Applications](#bmk-rolebasedapplications)
-
-- [Software Distribution](#bmk-softwaredistribution)
-
-- [Geographic Distribution](#bmk-geographicdistribution)
-
-- [Computer Types](#bmk-computertypes)
-
-## Managed and Unmanaged Environments
-
-
-In your organization, you may have managed environments and unmanaged environments.
-
-In a managed environment, IT administrators strictly control and manage the installation and use of applications. In this environment, you can discover the full inventory by deploying inventory-collector packages to a limited subset of computers.
-
-In an unmanaged environment, users have administrator permissions and can install applications at their own discretion. To obtain the full inventory, you must deploy your inventory-collector packages to more computers.
-
-## Role-Based Applications
-
-
-Your organization may use role-based applications that relate to job function. For example, accountants may use finance-related applications. Reviewing application use together with job function helps you better identify which subsets of computers need inventory-collector packages.
-
-## Software Distribution
-
-
-You can distribute applications in various ways within an organization. For example, you can use Group Policy, Microsoft® IntelliMirror®, Microsoft System Center Configuration Manager, or a customized distribution method. Reviewing the policies for your software distribution system helps you better identify which subsets of computers need inventory-collector packages.
-
-## Geographic Distribution
-
-
-While you plan for inventory collection, consider the geographic distribution of your organization, and consider application use within each region. Be sure to account for divisional applications, localized applications, and applications that are specific to the geographic location and export restrictions. Consult with technical and business leaders from each region to understand the differences and determine which subsets of computers need inventory-collector packages.
-
-## Computer Types
-
-
-Computer types can be an important factor in the deployment of inventory-collector packages. The following sections describe common computer types.
-
-### Mobile Computers
-
-Mobile users are frequently offline, occasionally synchronizing with the corporate network through a LAN or VPN connection. The user must be online for the inventory-collector package to be downloaded and installed, and must be online again for the logged data to be uploaded.
-
-### Multiuser Computers
-
-Multiuser computers are typically in university computer labs, libraries, and organizations that enable job sharing. These computers include a core set of applications that are always available, in addition to many applications that can be installed and removed as necessary. Because these computers typically have a core set of applications, you can identify a narrow subset of computers to receive the inventory-collector package.
-
-### AppStations and TaskStations
-
-AppStations that run vertical applications are typically for marketing, claims and loan processing, and customer service. TaskStations are typically dedicated to running a single application in a location such as a manufacturing floor (as an entry terminal) or a call center. Because AppStations and TaskStations do not typically enable users to add or remove applications, you can identify a narrow subset of computers to receive the inventory-collector package.
-
-### Kiosks
-
-Kiosks are generally in public areas. These computers run unattended. They also generally run a single application by using a single-use account and automatic logon. Because these computers typically run a single application, you can identify a narrow subset of computers to receive the inventory-collector package.
-
-## Related topics
-
-
-[Creating an Inventory-Collector Package](creating-an-inventory-collector-package.md)
-
-[Deploying an Inventory-Collector Package](deploying-an-inventory-collector-package.md)
-
-
-
-
-
-
-
-
-
+description: To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/index.md b/windows/plan/index.md
index e57a04c1cb..e8c8cdb020 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -16,7 +16,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
|Topic |Description |
|------|------------|
|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-|[Windows 10 servicing options](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
+|[Windows 10 servicing overview](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
diff --git a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index c55deebb84..bd057029b9 100644
--- a/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -59,15 +59,4 @@ When a custom database is no longer necessary, either because the applications a
2. On the **File** menu, click **Uninstall**.
## Related topics
-
-
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
-
-
-
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md
index da0098b6c3..f30fc92bd6 100644
--- a/windows/plan/internet-explorer-web-site-report.md
+++ b/windows/plan/internet-explorer-web-site-report.md
@@ -1,68 +1,5 @@
---
title: Internet Explorer - Web Site Report (Windows 10)
-ms.assetid: f072033d-9d42-47ed-8fb0-dbdc28442910
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Internet Explorer - Web Site Report
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **Internet Explorer - Web Site Report** screen shows the following information for each of the websites visited in your organization:
-
-- The website URL.
-
-- Your organization's compatibility rating for the website.
-
-- The count of issues for the website.
-
-- The count of resolved issues for the website.
-
-**To open the Internet Explorer - Web Site Report screen**
-
-1. In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
-
-2. In the **Quick Reports** pane, under the **Internet Explorer** heading, click **Web Sites**.
-
-## Using the Internet Explorer - Web Site Report Screen
-
-
-On the **Internet Explorer - Web Site Report** screen, you can:
-
-- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
-
-- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
-
-- Specify your compatibility rating for a website. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
-- Select your deployment status for a website. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
-- Assign categories and subcategories to a website. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of a website to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-- Double-click a website name to view its associated dialog box. For more information, see [<WebsiteURL> Dialog Box](websiteurl-dialog-box.md).
-
-
-
-
-
-
-
-
-
+description: The Internet Explorer - Web Site Report screen shows the URL, your organization's compatibility rating, issue count, and resolved issue count, for each of the websites visited in your organization.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md
index 1e0ae71639..92f7448f84 100644
--- a/windows/plan/labeling-data-in-acm.md
+++ b/windows/plan/labeling-data-in-acm.md
@@ -1,54 +1,5 @@
---
title: Labeling Data in ACM (Windows 10)
description: Application data and its associated compatibility issues can vary within an organization.
-ms.assetid: d099c747-e68a-4cad-a639-9f33efab35b3
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Labeling Data in ACM
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Application data and its associated compatibility issues can vary within an organization. For example, the applications used by a Human Resources (HR) department might differ from the applications used by a Sales department. Even for applications that are used across an organization, different compatibility issues might be found for each business group because of the unique application use by each business group.
-
-Your data-collection packages can add a *label* to your inventoried applications. To filter by business group when analyzing reports, you can create a different data-collection package for each business group and have each package assign a unique label. For example, you can create a data-collection package for your Sales department with a **Sales** label. During reports analysis, you can filter your results so that only the data with the **Sales** label is visible.
-
-You can specify a label when you create a data-collection package. You cannot change the label for an existing data-collection package.
-
-**To specify the label for a new data-collection package**
-
-1. In Application Compatibility Manager (ACM), on the **Go** menu, click **Collect**.
-
-2. On the **Collect** screen, click **File** from the toolbar, and then click **New** to start creating a new data-collection package.
-
-3. In the wizard, enter the label that you want to be applied by the data-collection package.
-
-## Related topics
-
-
-[Log File Locations for Data-Collection Packages](log-file-locations-for-data-collection-packages.md)
-
-[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-
-[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md
index 99ea5bc63f..5fa3b6c466 100644
--- a/windows/plan/log-file-locations-for-data-collection-packages.md
+++ b/windows/plan/log-file-locations-for-data-collection-packages.md
@@ -1,54 +1,5 @@
---
title: Log File Locations for Data-Collection Packages (Windows 10)
-ms.assetid: dcc395e7-2d9c-4935-abab-33c5934ce24a
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Log File Locations for Data-Collection Packages
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-When you create a data-collection package in Application Compatibility Manager (ACM), you can select an output location for your log files. You have the following options:
-
-- Specify an ACT Log Processing Service (LPS) share. The data-collection package automatically writes the log files to the specified ACT LPS share.
-
- If the ACT LPS share is unavailable when the upload time interval is reached, the data-collection package will make two more attempts.
-
- For inventory collector packages, after the third attempt, the inventory collector package no longer attempts to upload data.
-
- For runtime-analysis packages, if the problem persists, the runtime-analysis package will store the log file in %SYSTEMDRIVE%\\Users\\All Users\\Microsoft\\Application Compatibility Toolkit\\LogProcessor\\Failed. The runtime-analysis package will attempt to upload the files again at the next upload interval.
-
-- Select **Local (%ACTAppData%\\DataCollector\\Output)**. If you use this option, the data-collection package creates log files on the local system and the computer administrator must manually copy the files to the ACT LPS share location. Consider this option for mobile users who are not always connected to the network. The log files are located in %SYSTEMDRIVE%\\Users\\All Users\\Microsoft\\Application Compatibility Toolkit\\DataCollector\\Output.
-
-- Type an alternate network share location. If you use this option, verify that the data-collection package can write to the alternate location. You might consider this option if your organization is geographically diverse. For example, administrators can create data-collection packages and file shares individually for each geographic location. Administrators at a central location must then move the log files to a central location and map the files to the ACT LPS share for processing and entry into the ACT database.
-
-## Related topics
-
-
-[Exporting a Data-Collection Package](exporting-a-data-collection-package.md)
-
-[Deleting a Data-Collection Package](deleting-a-data-collection-package.md)
-
-[Labeling Data in ACM](labeling-data-in-acm.md)
-
-
-
-
-
-
-
-
-
+description: Selecting the output for your data-collection package log files.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 7c8a961d1d..a654054608 100644
--- a/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -56,17 +56,6 @@ This section provides information about managing your application-compatibility
## Related topics
-
-
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
-
-
-
-
-
-
-
-
+[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
\ No newline at end of file
diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md
index 46eaa26130..03cbe4849d 100644
--- a/windows/plan/managing-your-data-collection-packages.md
+++ b/windows/plan/managing-your-data-collection-packages.md
@@ -1,80 +1,5 @@
---
title: Managing Your Data-Collection Packages (Windows 10)
description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages.
-ms.assetid: 369ae82f-c8ca-42ec-85df-1b760a74e70a
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Managing Your Data-Collection Packages
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. Data-collection packages include inventory-collector packages and runtime-analysis packages. The following procedures apply to both package types.
-
-## In this section
-
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md
index e572f3b042..61498e165d 100644
--- a/windows/plan/organizational-tasks-for-each-report-type.md
+++ b/windows/plan/organizational-tasks-for-each-report-type.md
@@ -1,96 +1,5 @@
---
title: Organizational Tasks for Each Report Type (Windows 10)
description: The following table shows which tasks can be performed for each report type.
-ms.assetid: 7463fab1-ba6e-4a9a-9112-0b69a18fe353
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Organizational Tasks for Each Report Type
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The following table shows which tasks can be performed for each report type.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md
index 54bc38d151..30d2918977 100644
--- a/windows/plan/organizing-your-compatibility-data.md
+++ b/windows/plan/organizing-your-compatibility-data.md
@@ -1,90 +1,5 @@
---
title: Organizing Your Compatibility Data (Windows 10)
description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).
-ms.assetid: e91ae444-5d85-4b5f-b655-a765ecc78b1e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Organizing Your Compatibility Data
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM).
-
-## In this section
-
-
-
-
-
-
-Report
-[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
-[Selecting Your Deployment Status](selecting-your-deployment-status.md)
-[Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md)
-[Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md)
-[Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md)
-[Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Viewing Your Compatibility Reports](viewing-your-compatibility-reports.md)
-
-[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-
-[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md
index 3d55e9d1f3..7304d6dbb9 100644
--- a/windows/plan/prioritizing-your-compatibility-data.md
+++ b/windows/plan/prioritizing-your-compatibility-data.md
@@ -1,103 +1,5 @@
---
title: Prioritizing Your Compatibility Data (Windows 10)
-ms.assetid: 103e125a-bd2b-4019-9d6a-2e1d50c380b1
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Prioritizing Your Compatibility Data
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can prioritize your applications, websites, computers, and devices to help customize and filter your compatibility reports. The priority levels are:
-
-- **Priority 1 - Business Critical**. The highest priority level, applied to an item that is so important to your organization that a compatibility issue with the item would keep you from deploying a new operating system.
-
-- **Priority 2 - Important**. Items that your organization regularly uses but can function without.
-
-- **Priority 3 - Nice to Have**. Lower-priority items that you want to show in your compatibility reports that do not belong in either of the previous two categories.
-
-- **Priority 4 - Unimportant**. Items that are irrelevant to the daily functions of your organization.
-
-- **Unspecified**. The default priority level, applied to items that have not yet been reviewed for deployment.
-
-## Prioritizing Your Applications, Computers, Devices, and Websites
-
-
-The following example uses the **<Operating\_System> - Application Report** screen. You can alternatively use the **<Application\_Name>** dialog box. The procedure is the same on the reports for computers, devices, and websites.
-
-**To change the priority**
-
-1. On the **<Operating\_System> - Application Report** screen, click the name of the application.
-
-2. On the **Actions** menu, click **Set Priority**.
-
-3. Click a priority, and then click **OK**.
-
-**To filter your data by priority**
-
-1. On the **<Operating\_System> - Application Report** screen, click **Toggle Filter**.
-
-2. Enter your filter criteria, pressing the Tab key to add clauses.
-
- Consider the following example, which shows a query that filters for all applications that have a priority level of **Business Critical** or **Important**.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3. Click **Refresh**.
-
- Your filtered results appear.
-
-
-
-
-
-
-
-
-
+description: Prioritizing your apps, websites, computers, and devices to help customize and filter your compatibilty reports.
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md
index e8f095c0ac..c1f0184338 100644
--- a/windows/plan/ratings-icons-in-acm.md
+++ b/windows/plan/ratings-icons-in-acm.md
@@ -1,111 +1,5 @@
---
title: Ratings Icons in ACM (Windows 10)
description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.
-ms.assetid: 0165499e-cb47-4d76-98a6-b871d23e4e83
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Ratings Icons in ACM
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community.
-
-For information about specifying your own ratings, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md). For information about community ratings, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
-
-## Icons
-
-
-The following table shows icons that appear on the report screens and dialog boxes for **Company Assessment** and **Vendor Assessment**.
-
-
-
-
-
- And/Or
- Field
- Operator
- Value
-
-
-
-
-
-
-
-
-
-
-## User Ratings and ACT Community Ratings
-
-
-Ratings are displayed graphically in the **User Ratings** column and the **Community Assessment** column. The rating color and bar count depend on how the users or community rated the item. There are three possible ratings:
-
-- **Works**. Applications with this rating receive five green bars.
-
-- **Works with minor issues or has solutions**. Applications with this rating receive three light-green bars.
-
-- **Does not work**. Applications with this rating receive a single red bar.
-
-The color gradient from one to five bars shows the average rating.
-
-
-
-## Related topics
-
-
-[Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md
index 4d5557c944..e6a5b97651 100644
--- a/windows/plan/resolving-an-issue.md
+++ b/windows/plan/resolving-an-issue.md
@@ -1,62 +1,5 @@
---
title: Resolving an Issue (Windows 10)
description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens.
-ms.assetid: 96195122-185d-4f6a-8e84-79c3d069e933
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Resolving an Issue
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red **x** to a green check mark on your report and report detail screens.
-
-Resolving an issue is not required. However, if you do not resolve the issue, the issue remains active in your ACT database and provides inaccurate reports.
-
-## Resolving Issues for Your Applications and Websites
-
-
-This procedure describes how to resolve an existing issue that is documented in ACM. For information about adding an issue, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).
-
-**Note**
-The following example uses the **<Application\_Name>** dialog box. The procedure is similar for websites.
-
-
-
-**To resolve issues**
-
-1. On the **<Operating\_System> - Application Report** screen, double-click the name of the application to display the **<Application\_Name>** dialog box.
-
-2. Click the **Issues** tab.
-
-3. Double-click the specific issue to resolve.
-
-4. On the **Actions** menu, click **Resolve**, and then close the **<Application\_Name> - <Issue\_Title>** dialog box.
-
- The issue appears with a green check mark in the report details screen.
-
- **Note**
- If you have not entered a solution but have resolved the issue, Microsoft recommends that you enter a solution with **Other** solution type and add text that describes why you resolved the issue without a solution. For information about entering solutions, see [Adding or Editing a Solution](adding-or-editing-a-solution.md).
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md
index 67d940bd0d..65bfc93fba 100644
--- a/windows/plan/saving-opening-and-exporting-reports.md
+++ b/windows/plan/saving-opening-and-exporting-reports.md
@@ -1,78 +1,5 @@
---
title: Saving, Opening, and Exporting Reports (Windows 10)
description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.
-ms.assetid: 8be72a6c-63ab-4451-ad79-815e2ac18aa2
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Saving, Opening, and Exporting Reports
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can perform several common reporting tasks from the **Analyze** screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file.
-
-## Saving Your Compatibility Report
-
-
-You can save your compatibility report data, including any custom filters created by the query builder tool. You can import this report data back into Application Compatibility Manager (ACM) at a later time.
-
-**To save a report**
-
-1. In the **Quick Reports** pane, click **Analyze**.
-
-2. Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
-
-3. On the **File** menu, click **Save As**.
-
-4. Browse to the folder where you want to save your report, and then click **Save**.
-
-## Opening an Existing Compatibility Report
-
-
-In ACM, you can open, or import, a compatibility report (.adq) file.
-
-**To open a report**
-
-1. In the **Quick Reports** pane, click **Analyze**.
-
-2. Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
-
-3. On the **File** menu, click **Open Report**.
-
-4. Browse to the folder where you saved your report, and then click **Open**.
-
-## Exporting Compatibility Report Data
-
-
-You can export your compatibility report data to an Microsoft® Excel® spreadsheet (.xls) file.
-
-**To export report data**
-
-1. In the **Quick Reports** pane, click **Analyze**.
-
-2. Expand the node for the target operating system for which you want to see compatibility reports, and then click a node for a report type.
-
-3. On the **File** menu, click **Export Report**.
-
-4. Browse to the folder where you want to store the spreadsheet file, and then click **Save**.
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
index 99b2f4a61f..2488fe4e38 100644
--- a/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -62,8 +62,6 @@ You can export your search results to a text (.txt) file for later review or arc
2. Browse to the location where you want to store your search result file, and then click **Save**.
## Related topics
-
-
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 25906a1746..34260942d9 100644
--- a/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -166,8 +166,6 @@ You can export any of your search results into a tab-delimited text (.txt) file
2. Browse to the location where you intend to store the search results file, and then click **Save**.
## Related topics
-
-
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
index 782d3c1651..3674f73b68 100644
--- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
+++ b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md
@@ -1,98 +1,5 @@
---
title: Selecting the Send and Receive Status for an Application (Windows 10)
description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange.
-ms.assetid: ae139093-27cf-4ad8-882d-e0509e78d33a
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Selecting the Send and Receive Status for an Application
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange
-
-. For information about how to send and receive data, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
-
-## Selecting the Send and Receive Status for an Application
-
-
-**Note**
-The following example uses the **<Operating\_System> - Application Report** screen. You can alternatively use the **<Application\_Name>** dialog box.
-
-
-
-**To change the send and receive status for an application**
-
-1. On the **<Operating\_System> - Application Report** screen, click the application name for which you want to select the send and receive status.
-
-2. On the **Actions** menu, click **Set Send and Receive Status**.
-
-3. Select one of the following:
-
- - **Do not send to Microsoft**
-
- - **Send to Microsoft** (default)
-
-4. Click **OK**.
-
-**To filter based on send and receive status**
-
-1. On the **<Operating\_System> - Application Report** screen, click **Toggle Filter**.
-
-2. In the **Query Builder**, enter your filter criteria, pressing the Tab key to add clauses.
-
- To delete a clause, right-click the row, and then click **Delete Clause**.
-
- The following example shows a query that filters for applications with a send and receive status of **Do not send to Microsoft**.
-
-
-
-
-
-Icon
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-3. Click **Refresh**.
-
- Your filtered results appear.
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md
index b7042d456d..e0b0defc6d 100644
--- a/windows/plan/selecting-your-compatibility-rating.md
+++ b/windows/plan/selecting-your-compatibility-rating.md
@@ -1,108 +1,5 @@
---
title: Selecting Your Compatibility Rating (Windows 10)
description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system.
-ms.assetid: 959da499-8fd6-4f32-8771-a0580dd8e0d3
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Selecting Your Compatibility Rating
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. Your rating applies to your entire organization and is based on your own testing results and organizational requirements.
-
-Possible ratings include:
-
-- **Works**. During your organization's testing phase, there were no issues with the application, installation package, or website.
-
-- **Works with minor issues or has solutions**. During your organization's testing phase, there were no Severity 1 or Severity 2 issues with the application, installation package, or website. For information about severity levels, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).
-
-- **Does not work**. During your organization's testing phase, the application, installation package, or website experienced a Severity 1 or Severity 2 issue.
-
-- **No data**. You have no compatibility data to provide.
-
-## Selecting a Compatibility Rating
-
-
-You can select your compatibility rating from the report screen or from the associated dialog box that shows report details. As an example, the following procedures use the **<Operating\_System> - Application Report** screen. You can alternatively use the **<Application\_Name>** dialog box. The procedure is the same on the report for websites.
-
-**To select your compatibility rating**
-
-1. On the **<Operating\_System> - Application Report** screen, click the application name.
-
-2. On the **Actions** menu, click **Set Assessment**.
-
-3. Choose your ratings. Select separate ratings for 32-bit operating systems and 64-bit operating systems, and then click **OK**.
-
- If your organization does not use a 32-bit operating system, or does not use a 64-bit operating system, you can hide the option in the **Customize Report Views** dialog box. If you hide the option, the associated column no longer appears in the **Set Assessment** dialog box.
-
-## Filtering By Your Compatibility Ratings
-
-
-You can filter your applications, installation packages, or website data by your compatibility ratings.
-
-**To filter based on your compatibility ratings**
-
-1. On the **<Operating\_System> - Application Report** screen, click **Toggle Filter**.
-
-2. In the **Query Builder**, enter your filter criteria, pressing the Tab key to add additional clauses.
-
- For example, the following query will show applications with a rating of **Works** or a rating of **Works with minor issues or has solutions**.
-
-
-
-
-
- And/Or
- Field
- Operator
- Value
-
-
-
-
-
-
-
-
- To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3. Click **Refresh**.
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md
index 8cc4a070bc..61fdf90369 100644
--- a/windows/plan/selecting-your-deployment-status.md
+++ b/windows/plan/selecting-your-deployment-status.md
@@ -1,117 +1,5 @@
---
title: Selecting Your Deployment Status (Windows 10)
description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.
-ms.assetid: 7735d256-77eb-4498-93aa-c838ee6e00fc
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Selecting Your Deployment Status
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites.
-
-## Selecting Your Deployment Status
-
-
-You can change the deployment status from both the report screen and the associated report dialog box.
-
-**Note**
-The following examples use the **<Operating\_System> - Application Report** screen. You can alternatively use the **<Application\_Name>** dialog box. The procedure is the same for setting deployment status on the report for websites.
-
-
-
-**To change the deployment status of an application**
-
-1. On the **<Operating\_System> - Application Report** screen, click the application name.
-
-2. On the **Actions** menu, click **Set Deployment Status**.
-
-3. Select one of the following options:
-
- - **Not Reviewed** (default)
-
- - **Testing**
-
- - **Mitigating**
-
- - **Ready to Deploy**
-
- - **Will Not Deploy**
-
-4. Click **OK**.
-
-## Filtering By Deployment Status
-
-
-You can filter your applications and websites by your deployment status.
-
-**To filter based on deployment status**
-
-1. On the **<Operating\_System> - Application Report** screen, click **Toggle Filter**.
-
- The **Query Builder** appears with a blank row.
-
-2. In the **Query Builder**, enter your filter criteria, pressing the Tab key to add clauses.
-
- For example, the following query filters for applications with a deployment status of **Mitigating** or **Ready to Deploy**.
-
-
-
-
-
- And/Or
- Field
- Operator
- Value
-
-
-
-
-
-
-
-
-
-
- To delete a clause, right-click the row, and then click **Delete Clause**.
-
-3. Click **Refresh**.
-
- Your filtered results appear.
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md
index 5a694085b2..fe2e0356a0 100644
--- a/windows/plan/sending-and-receiving-compatibility-data.md
+++ b/windows/plan/sending-and-receiving-compatibility-data.md
@@ -1,69 +1,5 @@
---
title: Sending and Receiving Compatibility Data (Windows 10)
description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community.
-ms.assetid: b86d2431-1caa-4f95-baf9-52ff6af546cd
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Sending and Receiving Compatibility Data
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. This process involves checking for updated compatibility information from Microsoft over the Internet. You can send and receive data to keep Application Compatibility Manager (ACM) updated with the latest compatibility information.
-
-The synchronization process includes only the changes made since the last synchronization. During the synchronization process, a dialog box displaying the synchronization status appears. You can continue to work during this process. If no new issues have occurred since your last synchronization, the Microsoft Compatibility Exchange uploads your issue information and notifies you that no updates exist.
-
-The synchronization process uses the Microsoft Compatibility Exchange to:
-
-- Download new information from Microsoft and ISVs, except for the applications for which you choose not to send application data to Microsoft.
-
-- Upload your compatibility issues to Microsoft.
-
-- Upload and download compatibility information from the ACT Community, if you are a member of the ACT Community and agree to share your data. For information about configuring your membership in the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
-
-For information about which data is sent and received through the Microsoft Compatibility exchange, see [Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md).
-
-## Reviewing and Synchronizing Your Data
-
-
-Prior to sending your application data to Microsoft, you can review your application list and view the exact data being sent as a text (.txt) file. After you are done reviewing the information, you can synchronize your data with Microsoft.
-
-**To review and synchronize your data**
-
-1. On the **Analyze** screen, click **Send and Receive**.
-
-2. Click **Review the data before sending**.
-
- The **Send and Receive Data** dialog box shows all of the application data that is to be sent to Microsoft during the synchronization process. To avoid sending application data for specific applications, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
-
-3. Optionally, click **Review all data**, save the resulting .txt file locally, and then review the exact XML data that will be sent to Microsoft.
-
-4. After you finish reviewing the application list and XML data, click **Send**.
-
-## Related topics
-
-
-[Data Sent Through the Microsoft Compatibility Exchange](data-sent-through-the-microsoft-compatibility-exchange.md)
-
-[ACT Community Ratings and Process](act-community-ratings-and-process.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md
index 6abb406ec3..fe209d179d 100644
--- a/windows/plan/settings-for-acm.md
+++ b/windows/plan/settings-for-acm.md
@@ -1,70 +1,5 @@
---
title: Settings for ACM (Windows 10)
description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM).
-ms.assetid: e0126284-4348-4708-8976-a1e404f35971
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Settings for ACM
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about settings that you can configure in Application Compatibility Manager (ACM).
-
-## In this section
-
-
-
-
-
-
- And/Or
- Field
- Operator
- Value
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Configuring ACT](configuring-act.md)
-
-[ACT Database Configuration](act-database-configuration.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md
index 3564e2d753..d631eef7aa 100644
--- a/windows/plan/software-requirements-for-act.md
+++ b/windows/plan/software-requirements-for-act.md
@@ -1,86 +1,5 @@
---
title: Software Requirements for ACT (Windows 10)
description: The Application Compatibility Toolkit (ACT) has the following software requirements.
-ms.assetid: 9bbc21d4-f2ac-4a91-8add-017b1eacdeee
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Software Requirements for ACT
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) has the following software requirements.
-
-## Operating Systems
-
-
-ACT can be installed on the following operating systems:
-
-- Windows 10
-
-- Windows 8.1
-
-- Windows 8
-
-- Windows 7
-
-- Windows Server 2012
-
-- Windows Server 2008 R2
-
-You can deploy inventory collector packages to all of the operating systems where you can install ACT. In addition, you can also deploy inventory collector packages to Windows Server 2008, Windows Vista, and Windows XP.
-
-**Note**
-As of Update 2, there is a known issue where the inventory collector package fails on Windows Vista.
-
-
-
-## Database Components
-
-
-ACT requires one of the following database components:
-
-- Microsoft® SQL Server® 2012
-
-- Microsoft® SQL Server® 2008 R2
-
-- SQL Server 2008
-
-- SQL Server 2005
-
-- SQL Server 2008 Express
-
-- SQL Server 2005 Express Edition
-
-## .NET Framework
-
-
-ACT requires .NET Framework 4.
-
-## Related topics
-
-
-[What's New in Act 6.1](whats-new-in-act-60.md)
-
-[Software Requirements for RAP](software-requirements-for-rap.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md
index 07311438e4..b9914238fc 100644
--- a/windows/plan/software-requirements-for-rap.md
+++ b/windows/plan/software-requirements-for-rap.md
@@ -1,70 +1,5 @@
---
title: Software Requirements for RAP (Windows 10)
description: The runtime-analysis package (RAP) has the following software requirements.
-ms.assetid: 0163ce70-f5ba-400c-bdd5-a25511aac91f
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Software Requirements for RAP
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The runtime-analysis package (RAP) has the following software requirements.
-
-## Compatibility Monitor Supported Operating Systems
-
-
-The Microsoft Compatibility Monitor tool is included in the runtime-analysis package. You can use the Compatibility Monitor on the following operating systems:
-
-- Windows 10
-
-- Windows 8.1
-
-- Windows 8
-
-- Windows 7
-
-## SUA Tool and Compatibility Administrator Supported Operating Systems
-
-
-The Standard User Analyzer (SUA) tool and wizard and the Compatibility Administrator tool are included in the runtime-analysis package. You can use the tools on the following operating systems:
-
-- Windows 10
-
-- Windows 8.1
-
-- Windows 8
-
-- Windows 7
-
-- Windows Server 2012
-
-- Windows Server 2008 R2
-
-## Related topics
-
-
-[What's New in Act 6.1](whats-new-in-act-60.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/sua-users-guide.md b/windows/plan/sua-users-guide.md
index e0f2921b80..fff7a5757e 100644
--- a/windows/plan/sua-users-guide.md
+++ b/windows/plan/sua-users-guide.md
@@ -54,16 +54,6 @@ You can use SUA in either of the following ways:
-
-
-
-## Related topics
-
-
-[Deciding Whether to Fix an Application or Deploy a Workaround](deciding-whether-to-fix-an-application-or-deploy-a-workaround.md)
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md
index 07b40d240a..d199af1ab6 100644
--- a/windows/plan/taking-inventory-of-your-organization.md
+++ b/windows/plan/taking-inventory-of-your-organization.md
@@ -1,76 +1,5 @@
---
title: Taking Inventory of Your Organization (Windows 10)
description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.
-ms.assetid: d52f138d-c6b2-4ab1-bb38-5b036311a51d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Taking Inventory of Your Organization
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization.
-
-## In this section
-
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Testing Compatibility on the Target Platform](testing-compatibility-on-the-target-platform.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md
index 621a8bfeb2..9ba06e8cb3 100644
--- a/windows/plan/testing-compatibility-on-the-target-platform.md
+++ b/windows/plan/testing-compatibility-on-the-target-platform.md
@@ -1,84 +1,5 @@
---
title: Testing Compatibility on the Target Platform (Windows 10)
description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.
-ms.assetid: 8f3e9d58-37c2-41ea-a216-32712baf6cf4
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Testing Compatibility on the Target Platform
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment.
-
-## In this section
-
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Taking Inventory of Your Organization](taking-inventory-of-your-organization.md)
-
-[Managing Your Data-Collection Packages](managing-your-data-collection-packages.md)
-
-[Analyzing Your Compatibility Data](analyzing-your-compatibility-data.md)
-
-[Fixing Compatibility Issues](fixing-compatibility-issues.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/testing-your-application-mitigation-packages.md b/windows/plan/testing-your-application-mitigation-packages.md
index 669904c1e6..5fc970623c 100644
--- a/windows/plan/testing-your-application-mitigation-packages.md
+++ b/windows/plan/testing-your-application-mitigation-packages.md
@@ -84,15 +84,4 @@ At this point, you probably cannot resolve any unresolved application compatibil
If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company.
## Related topics
-
-
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-
-
-
-
-
-
-
-
-
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md
index ba1e7c4f7a..e0fb05fd2a 100644
--- a/windows/plan/troubleshooting-act-database-issues.md
+++ b/windows/plan/troubleshooting-act-database-issues.md
@@ -1,157 +1,5 @@
---
title: Troubleshooting ACT Database Issues (Windows 10)
description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).
-ms.assetid: c36ab5d8-cc82-4681-808d-3d491551b75e
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting ACT Database Issues
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT).
-
-For information about how to set up the database, see [ACT Database Configuration](act-database-configuration.md).
-
-## Connecting to a SQL Server Database
-
-
-When you attempt to connect to a SQL Server database, you may receive the following error message:
-
-The SQL Server you entered either does not exist or you do not have the required credentials for access.
-
-This error message indicates that the connection to the database is not valid. To investigate this error, do the following:
-
-1. Verify that the SQL Server database to which you are connecting is a valid database.
-
-2. Verify that you have read and write permissions to the database. If you do not have read and write permissions, contact your SQL Server administrator. For more information, see [Adding a Member to a SQL Server Database Role](http://go.microsoft.com/fwlink/p/?LinkId=64170).
-
-If you have read and write permissions to the database but cannot connect to it, you may be able to change the settings for your instance of SQL Server to resolve the issue. Namely, you can enable TCP/IP and firewall exceptions.
-
-**To enable TCP/IP and firewall exceptions for your instance of SQL Server**
-
-1. In a **Command Prompt** window, type the following command to stop your instance of SQL Server.
-
- ``` syntax
- net stop
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Using ACT](using-act.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md
index 709b60fb6d..08200ff49f 100644
--- a/windows/plan/troubleshooting-the-act-configuration-wizard.md
+++ b/windows/plan/troubleshooting-the-act-configuration-wizard.md
@@ -1,76 +1,5 @@
---
title: Troubleshooting the ACT Configuration Wizard (Windows 10)
description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears.
-ms.assetid: f4f489c7-50b7-4b07-8b03-79777e1aaefd
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting the ACT Configuration Wizard
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. The wizard helps you configure your ACT database, your shared folder for ACT log files, and your ACT Log Processing Service account.
-
-## Selecting a Configuration for ACM
-
-
-The **Enterprise configuration** option enables all ACT functionality. You must be an administrator on the local computer to select this option.
-
-The **View and manage reports only** option enables you to use ACM to create data-collection packages and analyze your data. You cannot access the ACT Log Processing Service. This option assumes that another computer in your organization is processing the logs and loading the compatibility data into the ACT database.
-
-## Configuring ACT Database Settings
-
-
-To configure ACT database settings in the ACT Configuration Wizard, you must have read and write permissions to the ACT database. For more information, see [ACT Database Configuration](act-database-configuration.md). If you do not have the appropriate permissions, contact your Microsoft® SQL Server® administrator. For more information, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
-
-## Configuring the ACT Log Processing Service
-
-
-If you use the Local System account to run the ACT Log Processing Service, your user account must be an Administrator account. Your computer account *<domain>*\\*<computer>*$ must have read and write permissions to the ACT database.
-
-Your user account must also have **Log on as a service** permissions. For more information, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
-
-## Configuring the Share for the ACT Log Processing Service
-
-
-For information about how to configure the share for the ACT Log Processing Service, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
-
-## Changing Settings After You Finish the ACT Configuration Wizard
-
-
-In the **Settings** dialog box in ACM, you can change some of the settings that you see in the ACT Configuration Wizard. You can also change other settings that are not available in the wizard. For more information, see [Settings for ACM](settings-for-acm.md).
-
-## Restarting the ACT Configuration Wizard
-
-
-If you cancel the configuration process before you reach the final page of the ACT Configuration Wizard, your settings are deleted and the wizard restarts the next time that you start ACM.
-
-## Related topics
-
-
-[Configuring ACT](configuring-act.md)
-
-[Using ACT](using-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md
index 0fff19e588..5f338b3141 100644
--- a/windows/plan/troubleshooting-the-act-log-processing-service.md
+++ b/windows/plan/troubleshooting-the-act-log-processing-service.md
@@ -1,103 +1,5 @@
---
title: Troubleshooting the ACT Log Processing Service (Windows 10)
description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.
-ms.assetid: cb6f90c2-9f7d-4a34-a91e-8ed55b8c256d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Troubleshooting the ACT Log Processing Service
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service.
-
-For information about how to set up permissions for the service, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
-
-## Reviewing Files in ACT Log File Format
-
-
-When you are reviewing log files for ACT, be aware that the log files are in Unicode format.
-
-## Uploading Files to the ACT Log Processing Service Share After Setting Permissions
-
-
-If you cannot upload files to the ACT Log Processing Service share, you must first verify that the account permissions are set correctly for the share. For more information, see [ACT LPS Share Permissions](act-lps-share-permissions.md).
-
-If the computers from which you are collecting data and the ACT Log Processing Service share are on different domains, or if the computers are not domain members, you must take additional steps. For the **Anonymous** group, provide explicit write permissions to the ACT Log Processing Service share. Alternatively, you can provide similar permissions to the **Authenticated users** group if you do not want to enable anonymous access. For more information, see [Everyone Group Does Not Include Anonymous Security Identifier](http://go.microsoft.com/fwlink/p/?LinkId=79830).
-
-If you are collecting data from computers that are running Microsoft® Windows® 2000 and you are uploading your collected data to a different domain, you must also explicitly enable null session access for the ACT Log Processing Service share.
-
-## Working Around Windows Firewall on the Computer That Hosts the ACT Log Processing Service Share
-
-
-If your organization has configured Windows Firewall on the computer that hosts your ACT Log Processing Service share, log files will not be copied to your share. To work around this issue, you can use one of the following methods:
-
-- Before you set up the ACT Log Processing Service share, turn off Windows Firewall on the computer that will host the share.
-
-- Continue to use Windows Firewall, but enable the **File Sharing** option.
-
-## Viewing and Assigning "Log on as a service" Permissions
-
-
-Starting the ACT Log Processing Service requires either a Local System account or a user account. For a user account to start the ACT Log Processing Service and complete the ACT Configuration Wizard, the *<domain>*\\*<user>* account must have **Log on as a service** permissions. By default, these permissions are assigned to built-in computer accounts, such as the Local System account.
-
-**To add rights to a user account for logging on as a service**
-
-1. In Control Panel, double-click **Administrative Tools**, and then double-click **Local Security Policy**.
-
-2. Expand the **Local Policies** folder, and then click **User Rights Assignment**.
-
-3. Double-click the **Log on as a service** policy.
-
-4. Verify that your *<domain>*\\*<user>* account appears. If it does not appear, click **Add User or Group**.
-
-5. Add your user account information, click **OK**, and then click **OK** again.
-
-## Starting the ACT Log Processing Service
-
-
-If the ACT Log Processing Service does not start and log files are not being processed, the reason may be one of the following:
-
-- **A conflict exists between ACT and the Microsoft® SQL Server® database.** If both ACT and the SQL Server database are on the same computer, the ACT Log Processing Service might have started before the SQL Server service.
-
-- **The ACT Log Processing Service does not have the correct permissions to the ACT database.** To investigate, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
-
-- **The account type is incorrect for the account that is running the ACT Log Processing Service.** The ACT Log Processing Service account must be an Administrator account.
-
-**To manually restart the ACT Log Processing Service**
-
-1. In Control Panel, double-click **Administrative Tools**, and then double-click **Services**.
-
-2. Right-click **ACT Log Processing Service**, and then click **Restart**.
-
-3. In the event log, verify that no issues occurred when the service restarted.
-
-## Related topics
-
-
-[Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md)
-
-[Configuring ACT](configuring-act.md)
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/understanding-and-using-compatibility-fixes.md b/windows/plan/understanding-and-using-compatibility-fixes.md
index 6c73a5645b..6ab830868c 100644
--- a/windows/plan/understanding-and-using-compatibility-fixes.md
+++ b/windows/plan/understanding-and-using-compatibility-fixes.md
@@ -93,15 +93,4 @@ Compatibility fixes are shipped as part of the Windows operating system and are
You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes.
## Related topics
-
-
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
-
-
-
-
-
-
-
-
-
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
\ No newline at end of file
diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md
index 3793af0dd1..3e3ffff7d2 100644
--- a/windows/plan/using-act.md
+++ b/windows/plan/using-act.md
@@ -1,90 +1,5 @@
---
title: Using ACT (Windows 10)
description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.
-ms.assetid: e6a68f44-7503-450d-a000-a04fbb93a146
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Using ACT
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.
-
-## In this section
-
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Welcome to ACT](welcome-to-act.md)
-
-[Configuring ACT](configuring-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[ACT User Interface Reference](act-user-interface-reference.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-[ACT Glossary](act-glossary.md)
-
-[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md
index 9a86a64d25..c5e20c52ba 100644
--- a/windows/plan/using-compatibility-monitor-to-send-feedback.md
+++ b/windows/plan/using-compatibility-monitor-to-send-feedback.md
@@ -1,84 +1,5 @@
---
title: Using Compatibility Monitor to Send Feedback (Windows 10)
description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package.
-ms.assetid: dc59193e-7ff4-4950-8c20-e90c246e469d
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Using Compatibility Monitor to Send Feedback
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. From the computers in your test environment, you can use Compatibility Monitor to submit compatibility information to the Application Compatibility Toolkit (ACT) database for your organization.
-
-**To automatically monitor applications on your computer for compatibility issues**
-
-1. Start the Compatibility Monitor tool.
-
-2. In Compatibility Monitor, click **Start Monitoring**.
-
-3. Leave Compatibility Monitor running, and use the applications that you want to test for compatibility issues.
-
- Compatibility information is automatically detected during monitoring, and is silently submitted to the ACT database at regular intervals.
-
-4. After you finish testing applications, click **Stop Monitoring** to stop the automatic monitoring and submission of compatibility information.
-
-**To submit your compatibility rating for an application**
-
-1. Start the Compatibility Monitor tool.
-
-2. In Compatibility Monitor, click **Give Compatibility Feedback**.
-
- You can enter and submit compatibility ratings whether monitoring is on or off. The process of submitting your compatibility feedback is entirely independent of the monitoring process.
-
-3. Find your application in the list, and then select your compatibility rating for the application.
-
- You can select ratings for one or more applications.
-
-4. Click **Submit** to submit your compatibility ratings to the ACT database.
-
- A copy of your ratings is kept on your computer so that you can review and modify the ratings later.
-
-**To submit a description of a compatibility issue for an application**
-
-1. Start the Compatibility Monitor tool.
-
-2. In Compatibility Monitor, click **Give Compatibility Feedback**.
-
-3. Find your application in the list, and then click the **Add Details** link.
-
-4. In the **Title** box, enter a title for the compatibility issue. The title is typically a phrase that briefly describes the issue. Check with others in your organization to verify your organization’s preferred style for issue titles.
-
-5. In the **Description** box, enter a description of the compatibility issue.
-
-6. Optionally, attach a screen shot or a step-by-step recording of the compatibility issue.
-
-7. Click **Submit** to submit your compatibility issue to the ACT database.
-
- After submitting your compatibility issue, you cannot edit it later. To submit further compatibility issues, you will need to submit a new issue.
-
-## Related topics
-
-
-[Common Compatibility Issues](common-compatibility-issues.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/using-the-sdbinstexe-command-line-tool.md b/windows/plan/using-the-sdbinstexe-command-line-tool.md
index fdd93bf2f3..301917b901 100644
--- a/windows/plan/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/plan/using-the-sdbinstexe-command-line-tool.md
@@ -79,18 +79,5 @@ The following table describes the available command-line options.
-
-
## Related topics
-
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/plan/using-the-sua-tool.md b/windows/plan/using-the-sua-tool.md
index c758d2f32d..df93b0550b 100644
--- a/windows/plan/using-the-sua-tool.md
+++ b/windows/plan/using-the-sua-tool.md
@@ -69,8 +69,6 @@ The following flowchart shows the process of using the SUA tool.
The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
## Related topics
-
-
[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
diff --git a/windows/plan/using-the-sua-wizard.md b/windows/plan/using-the-sua-wizard.md
index a8f3b3ce03..17703c2eb7 100644
--- a/windows/plan/using-the-sua-wizard.md
+++ b/windows/plan/using-the-sua-wizard.md
@@ -73,8 +73,6 @@ The following flowchart shows the process of using the SUA Wizard.
If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md).
## Related topics
-
-
[SUA User's Guide](sua-users-guide.md)
diff --git a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
index 8c89db2a64..34186e3746 100644
--- a/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/plan/viewing-the-events-screen-in-compatibility-administrator.md
@@ -40,8 +40,6 @@ Compatibility Administrator enables you to copy your compatibility fixes from on
If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
## Related topics
-
-
[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md
index c0f5ffaae9..57ba7d07a9 100644
--- a/windows/plan/viewing-your-compatibility-reports.md
+++ b/windows/plan/viewing-your-compatibility-reports.md
@@ -1,86 +1,5 @@
---
title: Viewing Your Compatibility Reports (Windows 10)
description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-ms.assetid: a28bbfbe-5f05-4a1e-9397-0a3ceb585871
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Viewing Your Compatibility Reports
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
-
-## In this section
-
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Organizing Your Compatibility Data](organizing-your-compatibility-data.md)
-
-[Filtering Your Compatibility Data](filtering-your-compatibility-data.md)
-
-[Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md
index f9f44433db..e07214a067 100644
--- a/windows/plan/websiteurl-dialog-box.md
+++ b/windows/plan/websiteurl-dialog-box.md
@@ -1,56 +1,5 @@
---
title: WebsiteURL Dialog Box (Windows 10)
description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website.
-ms.assetid: 0dad26e1-4bba-4fef-b160-3fa1f4325da8
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# <WebsiteURL> Dialog Box
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-In Application Compatibility Manager (ACM), the *<websiteURL>* dialog box shows information about the selected website.
-
-**To open the <WebsiteURL> Dialog Box**
-
-1. In ACM, in the **Quick Reports** pane, click **Analyze**.
-
-2. Under the **Internet Explorer** heading, click **Web Sites**.
-
-3. Double-click the URL for a website.
-
-## Using the <WebsiteURL> Dialog Box
-
-
-In the *<websiteURL>* dialog box, you can perform the following actions:
-
-- Select your compatibility rating for the website. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
-
-- Select your deployment status for the website. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
-
-- Assign categories and subcategories to the website. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
-
-- Specify the importance of the website to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
-
-- Add or edit an issue for the selected website, and add or edit a solution. For more information, see [Creating and Editing Issues and Solutions](creating-and-editing-issues-and-solutions.md).
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md
index c6755be21e..b4ef6d3088 100644
--- a/windows/plan/welcome-to-act.md
+++ b/windows/plan/welcome-to-act.md
@@ -1,82 +1,5 @@
---
title: Welcome to ACT (Windows 10)
description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
-ms.assetid: 3963db88-83d2-4b9a-872e-31c275d1a321
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# Welcome to ACT
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization.
-
-## In this section
-
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-
-[Configuring ACT](configuring-act.md)
-
-[Using ACT](using-act.md)
-
-[Troubleshooting ACT](troubleshooting-act.md)
-
-[ACT User Interface Reference](act-user-interface-reference.md)
-
-[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)
-
-[ACT Glossary](act-glossary.md)
-
-[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md
index b516ef3eae..89d6afdf1c 100644
--- a/windows/plan/whats-new-in-act-60.md
+++ b/windows/plan/whats-new-in-act-60.md
@@ -1,84 +1,5 @@
---
title: What's New in ACT 6.1 (Windows 10)
description: Two major updates have been released since ACT 6.1.
-ms.assetid: f12e137d-0b55-4f7d-88e0-149302655d9b
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-author: TrudyHa
----
-
-# What's New in ACT 6.1
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-Two major updates have been released since ACT 6.1. They are ACT 6.1 Update and ACT 6.1 Update 2. The following table lists changes made in the Application Compatibility Toolkit (ACT), which is included in the Windows Assessment and Deployment Kit (ADK) download.
-
-
-
-
-
-Topic
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-**Note**
-The version numbers for ACT 6.1 Update and Update 2 are identical, so you will need to look at the product ID of ACT to tell them apart. To find the product ID, open ACT, go to **Help** > **About**, and compare the product ID to the following list.
-
-- **ACT 6.1 Update**: B264FCCB-3F1F-828F-CCF8-EDB93E860970
-
-- **ACT 6.1 Update 2**: B2BC4686-29A9-9E9D-F2E4-7E20659EECE7
-
-If you run into any of the bugs fixed in Update 2, you likely have ACT 6.1 Update or older. Please download the latest version in the Windows ADK.
-
-
-
-## Related topics
-
-
-[Software Requirements for ACT](software-requirements-for-act.md)
-
-[Software Requirements for RAP](software-requirements-for-rap.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
+---
\ No newline at end of file
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
index 2e67c97c04..6ac55f7ffc 100644
--- a/windows/plan/windows-10-servicing-options.md
+++ b/windows/plan/windows-10-servicing-options.md
@@ -7,56 +7,42 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: servicing
ms.sitesec: library
-author: mtniehaus
+author: greg-lindsay
---
-# Windows 10 servicing options
-
+# Windows 10 servicing overview
**Applies to**
-
- Windows 10
- Windows 10 Mobile
-Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process.
+This topic provides an overview of the new servicing model for Windows 10. For more detailed information about this model, refer to [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md).
-Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a “wipe and load” process to deploy the new operating system version to existing machines, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, organizations would invest significant time and effort to complete the required tasks.
+## The Windows servicing model
-With Windows 10, a new model is being adopted. Instead of new features being added only in new releases that happen every few years, the goal is to provide new features two to three times per year, continually providing new capabilities while maintaining a high level of hardware and application compatibility. This new model, referred to as Windows as a service, requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens “every few years”; it is a continual process.
+Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a "wipe and load" process to deploy the new operating system version to existing computers, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, a significant amount of time and effort was required to complete these tasks.
-To support this process, you need to use simpler deployment methods. By combining these simpler methods (for example, in-place upgrade) with new techniques to deploy in phases to existing devices, you can reduce the amount of effort required overall, by taking the effort that used to be performed as part of a traditional deployment project and spreading it across a broad period of time.
+With Windows 10, a new model is being adopted. This new model, referred to as "Windows as a service," requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens every few years, it is a continual process.
-## Key terminology
+## Windows as a service
+Instead of new features being added only in new releases that happen every few years, the goal of Windows as a service is to continually provide new capabilities. New features are provided or updated two to three times per year, while maintaining a high level of hardware and application compatibility.
-With the shift to this new Windows as a service model, it is important to understand the distinction between two key terms:
+This new model uses simpler deployment methods, reducing the overall amount of effort required for Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a traditional deployment project is spread across a broad period of time.
-- **Upgrade**. A new Windows 10 release that contains additional features and capabilities, released two to three times per year.
+## Windows 10 servicing branches
-- **Update**. Packages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
+The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model.
-In addition to these terms, some additional concepts need to be understood:
-
-- **Branches**. The concept of “branching” goes back many years, and represents how Windows has traditionally been written and serviced: Each release was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because of the increased frequency of upgrades.
-
-- **Rings**. The concept of “rings” defines a mechanism for Windows 10 deployment to targeted groups of PCs; each ring represents another group. These are used as part of the release mechanism for new Windows 10 upgrades, and should be used internally by organizations to better control the upgrade rollout process.
-
-## Windows 10 branch overview
-
-
-To support different needs and use cases within your organization, you can select among different branches:
+Microsoft has implemented the following new servicing options in Windows 10:
+**Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
-
-Version
-Changes
-
-
-ACT 6.1 Update
-
-
-
-
-ACT 6.1 Update 2
-
-
+**Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
+**Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
+**Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
-- **Windows Insider Program**. To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, small numbers of PCs can leverage the Windows Insider Program branch. These would typically be dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
-
-- **Current Branch**. For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
-
-- **Current Branch for Business**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
-
-- **Long-Term Servicing Branch**. For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
-
-Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples:
+These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below:
| Industry | Windows Insider Program | Current Branch | Current Branch for Business | Long-Term Servicing Branch |
|--------------------|-------------------------|----------------|-----------------------------|----------------------------|
@@ -65,10 +51,8 @@ Most organizations will leverage all of these choices, with the mix determined b
| Pharmaceuticals | <1% | 10% | 50% | 40% |
| Consulting | 10% | 50% | 35% | 5% |
| Software developer | 30% | 60% | 5% | 5% |
-
-
-
-Because every organization is different, the exact breakdown will vary even within a specific industry; these should be considered only examples, not specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch.
+
+Because every organization is different, the exact breakdown will vary even within a specific industry. The examples shown above should not be taken as specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch.
- Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features.
@@ -82,169 +66,12 @@ Because every organization is different, the exact breakdown will vary even with
Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them.
-For more information about the Windows as a service model, refer to [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+With these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
-## Current Branch versus Current Branch for Business
-
-
-When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded.
-
-The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM).
-
-
-
-Figure 1. Configure the **Defer upgrades** setting
-
-Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period.
-
-For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later.
-
-With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager.
-
-For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015.
-
-With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10.
-
-Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule:
-
-- Begin your evaluation process with the Windows Insider Program releases.
-
-- Perform initial pilot deployments by using the Current Branch.
-
-- Expand to broad deployment after the Current Branch for Business is available.
-
-- Complete deployments by using that release in advance of the availability of the next Current Branch.
-
-
-
-Figure 2. Deployment timeline
-
-Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release:
-
-
-
-Figure 3. Overlapping releases
-
-As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall.
-
-## Long-Term Servicing Branch
-
-
-For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS.
-
-These LTSB images can be used to upgrade existing machines or to create new custom images.
-
-Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps.
-
-As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them.
-
-## Windows Insider Program
-
-
-During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process.
-
-To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account.
-
-Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation.
-
-## Switching between branches
-
-
-During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
-
-
-
-
-
+Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows.
## Related topics
-
-[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-
-[Windows 10 compatibility](windows-10-compatibility.md)
-
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
-
-
-
-
-
-
-
-
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-
-
-
-For a PC that uses…
-Changing to…
-You need to:
-
-
-Windows Insider Program
-Current Branch
-Wait for the final Current Branch release.
-
-
-
- Current Branch for Business
-Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.
-
-
-
- Long-Term Servicing Branch
-Not directly possible (requires wipe-and-load).
-
-
-Current Branch
-Insider
-Use the Settings app to enroll the device in the Windows Insider Program.
-
-
-
- Current Branch for Business
-Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
-
-
-
- Long-Term Servicing Branch
-Not directly possible (requires wipe-and-load).
-
-
-Current Branch for Business
-Insider
-Use the Settings app to enroll the device in the Windows Insider Program.
-
-
-
- Current Branch
-Disable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release.
-
-
-
- Long-Term Servicing Branch
-Not directly possible (requires wipe-and-load).
-
-
-Long-Term Servicing Branch
-Insider
-Use media to upgrade to the latest Windows Insider Program build.
-
-
-
- Current Branch
-Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
-
-
-
-
- Current Branch for Business
-Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
-
+[Windows 10 compatibility](windows-10-compatibility.md)
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md
index 5bd63a42af..48f7a4f853 100644
--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@@ -13,6 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
+- Windows Server 2016
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md
index ed8847ee60..28e92f028b 100644
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@@ -15,96 +15,19 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
+
Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+
For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
+
## Why use Device Guard
With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise.
Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210).
-### Advantages to using Device Guard
-You can take advantage of the benefits of Device Guard, based on what you turn on and use:
-- Helps provide strong malware protection with enterprise manageability
-- Helps provide the most advanced malware protection ever offered on the Windows platform
-- Offers improved tamper resistance
-## How Device Guard works
-Device Guard restricts the Windows 10 Enterprise operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:
-- User Mode Code Integrity (UMCI)
-- New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)
-- Secure Boot with database (db/dbx) restrictions
-- Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.
-- **Optional:** Trusted Platform Module (TPM) 1.2 or 2.0
-Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10 Enterprise. After that, Device Guard works to help protect your devices:
-1. Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 Enterprise starts before anything else.
-2. After securely starting up the Windows boot components, Windows 10 Enterprise can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.
-3. Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.
-4. At the same time that Windows 10 Enterprise starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates.
-## Required hardware and software
-The following table shows the hardware and software you need to install and configure to implement Device Guard.
-
-
-
-## Before using Device Guard in your company
-Before you can successfully use Device Guard, you must set up your environment and your policies.
-### Signing your apps
-Device Guard mode supports both UWP apps and Classic Windows applications. Trust between Device Guard and your apps happen when your apps are signed using a signature that you determine to be trustworthy. Not just any signature will work.
-This signing can happen by:
-- **Using the Windows Store publishing process.** All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
-- **Using your own digital certificate or public key infrastructure (PKI).** ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
-- **Using a non-Microsoft signing authority.** ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
-- **Use the Device Guard signing portal**. Available in the Windows Store for Business, you can use a Microsoft web service to sign your Classic Windows applications. For more info, see [Device Guard signing](../manage/device-guard-signing-portal.md).
-### Code Integrity policy
-Before you can use the app protection included in Device Guard, you must create a Code Integrity policy using tools provided by Microsoft, but deployed using your current management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. This policy restricts what code can run on a device.
-For the Device Guard feature, devices should only have Code Integrity pre-configured if the settings are provided by a customer for a customer-provided image.
-**Note** This XML document can be signed in Windows 10 Enterprise, helping to add additional protection against administrative users changing or removing this policy.
-
-### Virtualization-based security using Windows 10 Enterprise Hypervisor
-Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer.
-**Important** Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers - legacy drivers can be updated - and have all virtualization capabilities turned on. This includes virtualization extensions and input/output memory management unit (IOMMU) support.
-
-
-
+## Virtualization-based security using Windows 10 Enterprise Hypervisor
+
+Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer.
+
+>**Important** Device Guard devices that run Kernel Code Integrity with virtualization-based security (VBS) must have compatible drivers (legacy drivers can be updated) and meet requirements for the hardware and firmware that support virtualization-based security. For more information, see [Hardware, firmware, and software requirements for Device Guard](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard)
diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md
index cc29c76faa..4b157c50e8 100644
--- a/windows/whats-new/edp-whats-new-overview.md
+++ b/windows/whats-new/edp-whats-new-overview.md
@@ -16,76 +16,61 @@ author: eross-msft
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
-[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared.
+Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
## Benefits of EDP
EDP provides:
-- Additional protection against enterprise data leakage, with minimal impact on employees’ regular work practices.
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-- Ability to wipe corporate data from devices while leaving personal data alone.
-- Use of audit reports for tracking issues and remedial actions.
-- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later)’, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
-- Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys.
-- Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490).
+- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
+
+- Additional data protection for existing line-of-business apps without a need to update the apps.
+
+- Ability to wipe corporate data from devices while leaving personal data alone.
+
+- Use of audit reports for tracking issues and remedial actions.
+
+- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later), or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
## Enterprise scenarios
-
EDP currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-- You can select specific apps that can access enterprise data, called "protected apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-### Enterprise data security
+- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isn’t actively using it. In this case, when the employee initially creates the content on a managed device he’s asked whether it’s a work document. If it's a work document, it becomes locally-protected as enterprise data.
+- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-### Persistent data encryption
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
-EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.
+## Why use EDP?
+EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-### Remotely wiping devices of enterprise data
-EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer.
-In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally.
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-### Protected apps and restrictions
+- **Manage your enterprise documents, apps, and encryption modes.**
-Using EDP you can control the set of apps that are made "protected apps", or apps that can access and use your enterprise data. After you add an app to your **Protected App** list, it’s trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode.
-As a note, your existing line-of-business apps don’t have to change to be included as protected apps. You simply have to include them in your list.
+ - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-### Great employee experiences
+ - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side.
+ - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.
+
+ You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
-#### Using protected apps
+ - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
-Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your protected apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem.
+ - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.
+
+ Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-#### Copying or downloading enterprise data
+ - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device.
+ - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-#### Changing the EDP protection
-
-Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review
-
-### Deciding your level of data access
-
-EDP lets you decide to block, allow overrides, or silently audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and silent just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action.
-
-### Helping prevent accidental data disclosure to public spaces
-
-EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your Protected Apps list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the Protected Apps list, they also won’t be able to sync encrypted files to the user’s personal cloud.
-
-### Helping prevent accidental data disclosure to other devices
-
-EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device.
+ - **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
## Turn off EDP
diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md
index 15350dc9c4..13c6a7e5b8 100644
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@@ -10,9 +10,11 @@ ms.pagetype: security, mobile
---
# What's new in security auditing?
+
**Applies to**
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md
index 9937fada56..18a325aa7f 100644
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@@ -14,6 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.
-
-
-
-Requirement
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-