Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

devices/hololens/TOC.md

@@ -6,4 +6,5 @@
 ## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Install apps on HoloLens](hololens-install-apps.md)
+## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
 ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

devices/hololens/change-history-hololens.md

@@ -8,13 +8,19 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 12/20/2017
 ---
 
 # Change history for Microsoft HoloLens documentation
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
+## December 2017
+
+New or changed topic | Description
+--- | ---
+[Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | New
+
 ## May 2017
 
 | New or changed topic | Description |

devices/hololens/hololens-encryption.md

@@ -0,0 +1,123 @@
+---
+title: Enable Bitlocker encryption for HoloLens (HoloLens)
+description: Enable Bitlocker device encryption to protect files stored on the HoloLens  
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: hololens, devices
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: medium
+ms.date: 12/20/2017
+---
+
+# Enable encryption for HoloLens
+
+You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
+
+
+
+## Enable device encryption using MDM
+
+You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.
+
+In the following steps, Microsoft Intune is used as the example. For other MDM tools, see your MDM provider's documentation for instructions.
+
+1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
+
+2. Use **Search** or go to **More services** to open the Intune blade.
+
+3. Go to **Device configuration > Profiles**, and select **Create profile**.
+
+    ![Intune create profile option](images/encrypt-create-profile.png)
+
+4. Enter a name of your choice, select **Windows 10 and later** for the platform,  select **Custom** for the profile type, and then select **Add**.
+
+    ![Intune custom setting screen](images/encrypt-custom.png)
+
+5. In **Add Row OMA-URI Settings**, enter or select the following information:
+    - **Name**: a name of your choice
+    - **Description**: optional
+    - **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption`
+    - **Data type**: integer
+    - **Value**: `1`
+
+    ![Intune OMA-URI settings for encryption](images/encrypt-oma-uri.png)
+
+6. Select **OK**, select **OK**, and then select **Create**. The blade for the profile opens automatically.
+
+7. Select **Assignments** to assign the profile to a group. After you configure the assignment, select **Save**.
+
+![Intune profile assignment screen](images/encrypt-assign.png)
+
+## Enable device encryption using a provisioning package
+
+Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device. 
+
+### Create a provisioning package that upgrades the Windows Holographic edition
+
+1.	[Create a provisioning package for HoloLens.](hololens-provisioning.md#create-a-provisioning-package-for-hololens)
+
+2.  Go to **Runtime settings** > **Policies** > **Security**, and select **RequireDeviceEncryption**.
+
+    ![Require device encryption setting configured to yes](images/device-encryption.png)
+
+2.	Browse to and select the XML license file that was provided when you purchased the Commercial Suite.
+
+    >[!NOTE]
+    >You can configure [additional settings in the provisioning package](hololens-provisioning.md).
+
+3. On the **File** menu, click **Save**. 
+
+4. Read the warning that project files may contain sensitive information, and click **OK**.
+
+    >[!IMPORTANT]
+    >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+    
+3. On the **Export** menu, click **Provisioning package**.
+
+4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
+
+5. Set a value for **Package Version**.
+
+    >[!TIP]
+    >You can make changes to existing packages and change the version number to update previously applied packages.
+
+6. On the **Select security details for the provisioning package**, click **Next**.
+
+7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+
+    Optionally, you can click Browse to change the default output location.
+
+8. Click **Next**.
+
+9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+
+10. When the build completes, click **Finish**. 
+
+
+### Apply the provisioning package to HoloLens
+
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box).
+
+2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
+
+3. HoloLens will show up as a device in File Explorer on the PC.
+
+4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
+
+5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
+
+6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
+
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup.
+
+>[!NOTE]
+>If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. 
+
+## Verify device encryption
+
+Encryption is silent on HoloLens. To verify the device encryption status:
+ 
+-	On HoloLens, go to **Settings** > **System** > **About**. **Bitlocker** is **enabled** if the device is encrypted. 
+
+![About screen showing Bitlocker enabled](images/about-encryption.png)

devices/hololens/hololens-install-apps.md

@@ -7,17 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 12/20/2017
 ---
 
 # Install apps on HoloLens
 
 The recommended way to install Universal Windows Platform (UWP) apps on HoloLens is to use Microsoft Store for Business. You can make your own [line-of-business application](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps) available through Microsoft Store for Business.
 
-You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
-
->[!IMPORTANT]
-    >When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps.
 
 ## Use Microsoft Store for Business to deploy apps to HoloLens
 
@@ -46,23 +43,32 @@ In your Microsoft Store for Business dashboard, you can also download apps to di
 
 ### Install apps on HoloLens from Microsoft Store for Business
 
-The method that you use to install an app from your Microsoft Store for Business on HoloLens depends on the the distribution method that you choose.
+The method that you use to install an app from your Microsoft Store for Business on HoloLens depends on the distribution method that you choose.
 
 | Distribution method | To install on HoloLens|
 | --- | --- |
-| Using private store | Open the Store app and select the tab for your organization to choose from available apps.  |
-| Using MDM | [You can configure MDM to synchronize your Store for Business inventory.](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool)  |
+| [Using private store](https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store) | Open the Store app and select the tab for your organization to choose from available apps.  |
+| Using MDM | [You can configure MDM to synchronize your Store for Business inventory.](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool)</br></br> See the **Important** note in [Use MDM to deploy apps to HoloLens.](#use-mdm-to-deploy-apps-to-hololens) |
 
 
 
 ## Use MDM to deploy apps to HoloLens
 
+>[!IMPORTANT]
+>Online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. Instead, you can use your MDM provider to deploy MDM-hosted apps to HoloLens, or deploy offline-licensed apps to HoloLens via Store for Business
+
+
 You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps).
 
 Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune).
 
 
-## Use the Windows Device Portal to install apps on HoloLens.
+
+## Use the Windows Device Portal to install apps on HoloLens
+
+>[!IMPORTANT]
+>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
+
 1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. 
 
 2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).

devices/hololens/hololens-provisioning.md

@@ -96,7 +96,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
 
 >[!NOTE]
->If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
+>If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
 
 ## What you can configure
 

devices/hololens/hololens-upgrade-enterprise.md

@@ -71,7 +71,7 @@ For more information about groups, see [Use groups to manage users and devices i
 
 ## Edition upgrade using a provisioning package
 
-Provisioning packages are files created by the Windows Imaging and Configuration Designer (ICD) tool that apply a specified configuration to a device. 
+Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device. 
 
 ### Create a provisioning package that upgrades the Windows Holographic edition
 
@@ -106,7 +106,7 @@ Provisioning packages are files created by the Windows Imaging and Configuration
 
 7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
 
-    Optionally, you can click Browse to change the default output location.
+    Optionally, you can click **Browse** to change the default output location.
 
 8. Click **Next**.
 
@@ -132,7 +132,7 @@ Provisioning packages are files created by the Windows Imaging and Configuration
 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup.
 
 >[!NOTE]
->If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. 
+>If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. 
 
 
 

windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md

@@ -55,7 +55,7 @@ The **File in organization** section provides details on the prevalence of the f
 
 ![Image of file in organization](images/atp-file-in-org.png)
 
-## Most recent observed machine with the file
+## Most recent observed machines with the file
 The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file.
 
 ![Image of most recent observed machine with the file](images/atp-observed-machines.png)