[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) |
diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
index af9f471ce3..ec41aa5d9a 100644
--- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
+++ b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
@@ -33,7 +33,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
1. Try to create the PIN again. Some errors are transient and resolve themselves.
-2. Log out, log in, and try to create the PIN again.
+2. Sign out, sign in, and try to create the PIN again.
3. Reboot the device and then try to create the PIN again.
@@ -44,11 +44,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
-
-
-
-
-
+
-
-| 0x801C03ED |
-Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed
--or-
-Token was not found in the Authorization header
--or-
-Failed to read one or more objects |
-Unjoin the device from Azure Active Directory (Azure AD) and rejoin |
-
+
| 0x801C044D |
Authorization token does not contain device ID |
Unjoin the device from Azure AD and rejoin |
+
| 0x80090036 |
User cancelled an interactive dialog |
@@ -95,6 +84,10 @@ If the error occurs again, check the error code against the following table to s
0x80090005 |
NTE_BAD_DATA |
Unjoin the device from Azure AD and rejoin |
+
+| 0x80090029 |
+TPM is not set up. |
+Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
| 0x80090031 |
@@ -124,17 +117,17 @@ If the error occurs again, check the error code against the following table to s
| 0x801C0010 |
The AIK certificate is not valid or trusted |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C0011 |
The attestation statement of the transport key is invalid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C0012 |
Discovery request is not in a valid format |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C0015 |
@@ -159,7 +152,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03E9 |
Server response message is invalid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C03EA |
@@ -169,37 +162,42 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03EB |
Server response http status is not valid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C03EC |
Unhandled exception from server. |
-Log out and then log in again. |
+sign out and then sign in again. |
| 0x801C03ED |
-The request sent to the server was invalid. |
-Log out and then log in again. |
+Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed
+-or-
+Token was not found in the Authorization header
+-or-
+Failed to read one or more objects
+-or- The request sent to the server was invalid. |
+Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. |
| 0x801C03EE |
Attestation failed |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C03EF |
The AIK certificate is no longer valid |
-Log out and then log in again. |
+Sign out and then sign in again. |
| 0x801C044D |
Unable to obtain user token |
-Log out and then log in again. Check network and credentials. |
+Sign out and then sign in again. Check network and credentials. |
| 0x801C044E |
Failed to receive user creds input |
-Log out and then log in again. |
+Sign out and then sign in again. |
@@ -214,6 +212,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| Hex | Cause |
|-------------|-------------------------------------------------------------------------------------------------------|
| 0x80072f0c | Unknown |
+| 0x80070057 | Invalid parameter or argument is passed |
| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
| 0x80090020 | NTE\_FAIL |
diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md
index d2d62ba501..ab603ccb7a 100644
--- a/windows/keep-secure/microsoft-passport-guide.md
+++ b/windows/keep-secure/microsoft-passport-guide.md
@@ -4,6 +4,7 @@ description: This guide describes the new Windows Hello and Microsoft Passport t
ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84
keywords: ["security", "credential", "password", "authentication"]
ms.prod: W10
+ms.pagetype: security
ms.mktglfcycl: plan
ms.sitesec: library
author: challum
@@ -405,7 +406,7 @@ Table 1. Deployment requirements for Microsoft Passport
-Note that the current release of Windows 10 supports the Azure AD–only scenarios. Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
+Note that the current release of Windows 10 supports the Azure AD–only (RTM) and hybrid scenarios (RTM + November Update). Microsoft provides the forward-looking guidance in Table 1 to help organizations prepare their environments for planned future releases of Microsoft Passport for Work capabilities.
**Select policy settings**
@@ -465,17 +466,19 @@ In the Windows 10 initial release, Microsoft supports the following Microsoft P
- Microsoft Passport for Work support for organizations that have cloud-only Azure AD deployments
-- Group Policy settings to control Microsoft Passport PIN length and complexity
+- Group Policy and MDM settings to control Microsoft Passport PIN length and complexity
+
+In the November 2015 release, Microsoft supports the following Microsoft Passport and Windows Hello features:
+
+- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
+
+- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
In future releases of Windows 10, we plan to add support for additional features:
-- Additional biometric identifier types, including iris recognition
-
-- Key-based Microsoft Passport for Work credentials for on-premises Azure AD deployments and hybrid on-premises/Azure AD deployments
-
-- Microsoft Passport for Work certificates issued by a trusted PKI, including smart card and virtual smart card certificates
-
-- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
+- Key-based and certificate-based Microsoft Passport for Work credentials for on-premises AD deployments
+
+- TPM attestation to protect keys so that a malicious user or program can’t create keys in software (because those keys won’t be TPM attested and can thus be identified as fake)
In the longer term, Microsoft will continue to improve on and expand the features of both Microsoft Passport and Windows Hello to cover additional customer requirements for manageability and security. We also are working with the FIDO Alliance and a variety of third parties to encourage adoption of Microsoft Passport by both web and LOB application developers.
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index 6c688aa008..132514c566 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -17,7 +17,7 @@ author: eross-msft
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 1d7eabec2a..5d96128049 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -6,7 +6,7 @@ keywords: ["security", "BYOD", "malware", "device health attestation", "mobile"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
-author: brianlic-msft
+author: arnaudjumelet
---
# Control the health of Windows 10-based devices
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 82168aa9c3..651ed1468f 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -31,7 +31,15 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
-Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG).
+Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
**Note**
Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -41,11 +49,10 @@ Some information relates to pre-released product which may be substantially modi
## TPM 1.2 vs. 2.0 comparison
-From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0. As indicated in the table below, TPM 2.0 has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
+From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
## Why TPM 2.0?
-
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
@@ -65,7 +72,6 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
## Discrete or firmware TPM?
-
Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
From a security standpoint, discrete and firmware share the same characteristics;
@@ -77,20 +83,22 @@ From a security standpoint, discrete and firmware share the same characteristics
For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
-## TPM 2.0 Compliance for Windows 10 in the future
+## Is there any importance for TPM for consumer?
+For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
-
-All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from **July 28, 2016**. This requirement will be enforced through our Windows Hardware Certification program.
+## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0 support.
-- For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with the fTPM FW support or a discrete TPM 1.2 or 2.0.
-- Starting **July 28th, 2016** all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with the TPM enabled.
+- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+## Two implementation options:
+• Discrete TPM chip as a separate discrete component
+• Firmware TPM solution using Intel PTT (platform trust technology) or AMD
### Windows 10 Mobile
-- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled.
+- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
### IoT Core
@@ -102,7 +110,6 @@ All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 d
## TPM and Windows Features
-
The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
@@ -124,7 +131,7 @@ The following table defines which Windows features require TPM support. Some fea
-| Measure Boot |
+Measured Boot |
Required |
Required |
Required |
@@ -147,7 +154,7 @@ The following table defines which Windows features require TPM support. Some fea
| Passport: MSA or Local Account |
n/a |
-Not Required |
+Required |
Required |
TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
@@ -175,7 +182,7 @@ The following table defines which Windows features require TPM support. Some fea
| Device Health Attestation |
n/a |
-Not Required |
+Required |
Required |
|
@@ -240,6 +247,7 @@ There are a variety of TPM manufacturers for both discrete and firmware.
- Infineon
- Nuvoton
+- Atmel
- NationZ
- ST Micro
|
@@ -274,11 +282,12 @@ There are a variety of TPM manufacturers for both discrete and firmware.
| Intel |
-- Clovertrail
-- Haswell
-- Broadwell
-- Skylake
+- Atom (CloverTrail)
- Baytrail
+- 4th generation(Haswell)
+- 5th generation(Broadwell)
+- Braswell
+- Skylake
|
@@ -301,7 +310,7 @@ There are a variety of TPM manufacturers for both discrete and firmware.
### Certified TPM parts
-Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have targeted completion of certification by the end of 2015.
+Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
### Windows 7 32-bit support
diff --git a/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
new file mode 100644
index 0000000000..8da09ab38e
--- /dev/null
+++ b/windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
@@ -0,0 +1,195 @@
+---
+title: User Account Control Group Policy and registry key settings (Windows 10)
+description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+---
+
+# User Account Control Group Policy and registry key settings
+
+**Applies to**
+
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+## Group Policy settings
+There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
+
+
+| Group Policy setting | Registry key | Default |
+| - | - | - | - |
+| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
+| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
+| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
+| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
+| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)
Disabled (default for enterprise) |
+| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
+| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
+| [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
+| [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
+| [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
+
+### User Account Control: Admin Approval Mode for the built-in Administrator account
+
+The **User Account Control: Admin Approval Mode for the built-in Administrator account** policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+The options are:
+
+- **Enabled.** The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+- **Disabled.** (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+
+### User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
+
+The **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+The options are:
+
+- **Enabled.** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+- **Disabled.** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting.
+
+UIA programs are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
+
+UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
+
+- ...\\Program Files, including subfolders
+- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
+- ...\\Windows\\System32
+
+The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting disables the requirement to be run from a protected path.
+
+While this policy setting applies to any UIA program, it is primarily used in certain remote assistance scenarios, including the Windows Remote Assistance program in Windows 7.
+
+If a user requests remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator's session during elevation requests, the user may select the **Allow IT Expert to respond to User Account Control prompts** check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation.
+
+If you enable this policy setting, requests for elevation are automatically sent to the interactive desktop (not the secure desktop) and also appear on the remote administrator's view of the desktop during a remote assistance session. This allows the remote administrator to provide the appropriate credentials for elevation.
+
+This policy setting does not change the behavior of the UAC elevation prompt for administrators.
+
+If you plan to enable this policy setting, you should also review the effect of the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user.
+
+
+### User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+The **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+- **Elevate without prompting.** Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+
+ **Note** Use this option only in the most constrained environments.
+
+- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+- **Prompt for consent on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Prompt for consent.** When an operation requires elevation of privilege, the user is prompted to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+- **Prompt for consent for non-Windows binaries.** (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+
+
+### User Account Control: Behavior of the elevation prompt for standard users
+
+The **User Account Control: Behavior of the elevation prompt for standard users** policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+- **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+- **Prompt for credentials on the secure desktop.** (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+### User Account Control: Detect application installations and prompt for elevation
+
+The **User Account Control: Detect application installations and prompt for elevation** policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+- **Enabled.** (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Disabled.** (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+
+### User Account Control: Only elevate executables that are signed and validated
+
+The **User Account Control: Only elevate executables that are signed and validated** policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+
+- **Enabled.** Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+- **Disabled.** (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+
+### User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+The **User Account Control: Only elevate UIAccess applications that are installed in secure locations** policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- ...\\Program Files, including subfolders
+- ...\\Windows\\system32
+- ...\\Program Files (x86), including subfolders for 64-bit versions of Windows
+
+**Note** Windows enforces a PKI signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+- **Enabled.** (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+- **Disabled.** An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+
+### User Account Control: Run all administrators in Admin Approval Mode
+
+The **User Account Control: Run all administrators Admin Approval Mode** policy setting controls the behavior of all UAC policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+- **Enabled.** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the **Administrators** group to run in Admin Approval Mode.
+- **Disabled.** Admin Approval Mode and all related UAC policy settings are disabled.
+
+**Note** If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+
+### User Account Control: Switch to the secure desktop when prompting for elevation
+
+The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+
+- **Enabled.** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+- **Disabled.** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+
+When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting. The following table describes the behavior of the elevation prompt for each of the administrator policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
+
+| Administrator policy setting | Enabled | Disabled |
+| - | - | - |
+| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for consent on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+| **Prompt for consent** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+| **Prompt for consent for non-Windows binaries** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+
+When this policy setting is enabled, it overrides the **User Account Control: Behavior of the elevation prompt for standard users** policy setting. The following table describes the behavior of the elevation prompt for each of the standard user policy settings when the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is enabled or disabled.
+
+| Standard policy setting | Enabled | Disabled |
+| - | - | - |
+| **Automatically deny elevation requests** | No prompt. The request is automatically denied. | No prompt. The request is automatically denied. |
+| **Prompt for credentials on the secure desktop** | The prompt appears on the secure desktop. | The prompt appears on the secure desktop. |
+| **Prompt for credentials** | The prompt appears on the secure desktop. | The prompt appears on the interactive user's desktop. |
+
+### User Account Control: Virtualize file and registry write failures to per-user locations
+
+The **User Account Control: Virtualize file and registry write failures to per-user locations** policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
+
+The options are:
+
+- **Enabled.** (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+- **Disabled.** Applications that write data to protected locations fail.
+
+## Registry key settings
+
+The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**. For information about each of the registry keys, see the associated Group Policy description.
+
+| Registry key | Group Policy setting | Registry setting |
+| - | - | - |
+| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
1 = Enabled |
+| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
1 = Enabled |
+| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
|
+| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials |
+| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
0 = Disabled (default for enterprise) |
+| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled
1 = Enabled |
+| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled
1 (Default) = Enabled |
+| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled
1 (Default) = Enabled |
+| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled
1 (Default) = Enabled |
+| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled
1 (Default) = Enabled |
diff --git a/windows/keep-secure/user-account-control-overview.md b/windows/keep-secure/user-account-control-overview.md
index 71d4e00483..5220e7b05d 100644
--- a/windows/keep-secure/user-account-control-overview.md
+++ b/windows/keep-secure/user-account-control-overview.md
@@ -10,57 +10,34 @@ author: brianlic-msft
# User Account Control
-
**Applies to**
-- Windows 10
+- Windows 10
+- Windows Server 2016 Technical Preview
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-##
-
-
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
-## Practical applications
-
+## Practical applications
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
-## New and changed functionality
-
+## New and changed functionality
To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
## In this section
-
-
-
-
-
-
-
-
-
-
-
-[How User Account Control works](how-user-account-control-works.md) |
-User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
-
-
-[User Account Control security policy settings](user-account-control-security-policy-settings.md) |
-You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
-
-
-
+| Topic | Description |
+| - | - |
+| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
+| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
+| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. |
diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md
index 7422955a9c..75dfd59ad1 100644
--- a/windows/keep-secure/windows-10-enterprise-security-guides.md
+++ b/windows/keep-secure/windows-10-enterprise-security-guides.md
@@ -5,7 +5,7 @@ ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: brianlic-msft
+author: challum
---
# Enterprise security guides
diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md
index b8fcdfb590..7995030e49 100644
--- a/windows/keep-secure/windows-10-mobile-security-guide.md
+++ b/windows/keep-secure/windows-10-mobile-security-guide.md
@@ -6,7 +6,7 @@ keywords: ["data protection, encryption, malware resistance, smartphone, device,
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
-author: brianlic-msft
+author: AMeeus
---
# Windows 10 Mobile security guide
diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md
index ec556b3cf0..586d509b57 100644
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@@ -6,7 +6,7 @@ keywords: ["configure", "feature", "file encryption"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
-author: brianlic-msft
+author: challum
---
# Windows 10 security overview
@@ -345,17 +345,16 @@ Table 3 lists specific malware threats and the mitigation that Windows 10 provi
Table 3. Threats and Windows 10 mitigations
-
-
-
-
-
+
+"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users |
+Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). |
+
Firmware bootkits replace the firmware with malware. |
All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs. |
@@ -395,6 +394,22 @@ Table 3. Threats and Windows 10 mitigations
The sections that follow describe these improvements in more detail.
+**SMB hardening improvements for SYSVOL and NETLOGON connections**
+
+In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos).
+
+- **What value does this change add?**
+This change reduces the likelihood of man-in-the-middle attacks.
+
+- **What works differently?**
+If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts.
+
+
+> **Note:** The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values.
+
+For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215).
+
+
**Secure hardware**
Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors.
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index b81591ab3c..297672a7bf 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -19,7 +19,8 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
-### [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md)
+### [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md)
+### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
@@ -38,6 +39,7 @@
#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps-overview.md)
#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
+#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
@@ -45,8 +47,9 @@
#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps-windows-store-for-business-overview.md)
-#### [Manage access to private store](manage-access-to-private-store.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
+#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
+#### [Manage access to private store](manage-access-to-private-store.md)
#### [Manage private store settings](manage-private-store-settings.md)
#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Device Guard signing portal](device-guard-signing-portal.md)
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
new file mode 100644
index 0000000000..8e22322f1c
--- /dev/null
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -0,0 +1,51 @@
+---
+title: Acquire apps in Windows Store for Business (Windows 10)
+description: As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see Apps in the Windows Store for Business.
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+---
+
+# Acquire apps in Windows Store for Business
+As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
+
+## App licensing model
+The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+
+For more information, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
+
+## Payment options
+Some apps are free, and some have a price. Apps can be purchased in the Windows Store for Business using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards:
+- VISA
+- MasterCard
+- Discover
+- American Express
+- Japan Commercial Bureau (JCB)
+
+## Organization info
+There are a couple of things we need to know when you pay for apps. You can add this info to the **Account information** page before you buy apps. If you haven’t provided it, we’ll ask when you make a purchase. Either way works. Here’s the info you’ll need to provide:
+- Legal business address
+- Payment option (credit card)
+
+You can add payment info on **Account information**. If you don’t have one saved with your account, you’ll be prompted to provide one when you buy an app.
+
+## Acquire apps
+To acquire an app
+1. Log in to http://businessstore.microsoft.com
+2. Click Shop, or use Search to find an app.
+3. Click the app you want to purchase.
+4. On the product description page, choose your license type - either online or offline.
+5. Free apps will be added to Inventory. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**.
+6. If you don’t have a payment method saved in Account settings, Store for Business will prompt you for one.
+7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information**.
+
+You’ll also need to have your business address saved on **Account information**. The address is used to generate tax rates. For more information on taxes for apps, see organization tax information.
+
+Store for Business adds the app to your inventory. From **Inventory**, you can:
+- Distribute the app: add to private store, or assign licenses
+- View app licenses: review current licenses, reclaim and reassign licenses
+- View app details: review the app details page and purchase more licenses
+
+For info on distributing apps, see [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
+
+For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md
index 77c0e6e634..245d15cac1 100644
--- a/windows/manage/app-inventory-managemement-windows-store-for-business.md
+++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md
@@ -105,11 +105,6 @@ Each app in the Store for Business has an online, or an offline license. For mor
-**Note**
-Removing apps from inventory is not currently supported.
-
-
-
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
### Distribute apps
@@ -122,15 +117,45 @@ For online-licensed apps, there are a couple of ways to distribute apps from you
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
-### Assign apps
+Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
-You can assign apps directly to people in your organization. You can assign apps to individuals, a few people, or to a group. For more information, see [Assign apps to employees](assign-apps-to-employees.md).
+**To make an app in inventory available in your private store**
-### Private store
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
+4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
-The private store is a feature in the Store for Business. Once an online-licensed app is in your inventory, you can make it available in your private store. When you add apps to the private store, all employees in your organization can view and download the app. Employees access the private store as a page in Windows Store app.
+The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
-For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
+Employees can claim apps that admins added to the private store by doing the following.
+
+**To claim an app from the private store**
+
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+2. Click the private store tab.
+3. Click the app you want to install, and then click **Install**.
+
+Another way to distribute apps is by assigning them to people in your organization.
+
+If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
+
+**To remove an app from the private store**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
+
+The app will still be in your inventory, but your employees will not have access to the app from your private store.
+
+**To assign an app to an employee**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
### Manage app licenses
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
index 5e896b7a2f..30d0677d94 100644
--- a/windows/manage/apps-in-windows-store-for-business.md
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -47,6 +47,13 @@ Apps in your inventory will have at least one of these supported platforms liste
Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10.
+Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
+
+Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing).
+
+**Note**
+We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isn’t available, please check again in a couple of days.
+
Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps.
## In-app purchases
diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md
index 0864ee8dac..c6e8393f30 100644
--- a/windows/manage/assign-apps-to-employees.md
+++ b/windows/manage/assign-apps-to-employees.md
@@ -28,7 +28,7 @@ Administrators can assign online-licensed apps to employees in their organizatio
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**.
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 18be77205f..81182141c2 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -10,140 +10,54 @@ author: jdeckerMS
# Change history for Manage and update Windows 10
-
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## May 2016
+
+| New or changed topic | Description |
+| ---|---|
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
+| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles |
+| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
+
## April 2016
-
-
-
-
-
-
-
-| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) |
-Added screenshots of Control Panel and the administrative tools folder. |
-
-
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Added the font streaming section. |
-
-
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) |
-Made corrections to script and instructions for Shell Launcher. |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Administrative tools in Windows 10](administrative-tools-in-windows-10.md) | Added screenshots of Control Panel and the administrative tools folder. |
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added the font streaming section. |
+| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Made corrections to script and instructions for Shell Launcher. |
## March 2016
-
-
-
-
-
-
-
-
-| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) |
-New |
-
-
-| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) |
-New |
-
-
-| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
-Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New |
+| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New |
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
## February 2016
-
-
-
-
-
-
-
-
-| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Added call history and email to the Settings > Privacy section.
-Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-
-
-| [Customize and export Start layout](customize-and-export-start-layout.md) |
-Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
-
-
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) |
-Added instructions for replacing markup characters with escape characters in Start layout XML |
-
-
-| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) |
-New |
-
-
-| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) |
-New |
-
-
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) |
-Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section.
Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
+| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
+| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
## December 2015
-
-
-
-
-
-
-
-
-| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |
-New |
-
-
-| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |
-New |
-
-
-| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) |
- |
-
-
-
-
-
+| New or changed topic | Description |
+| ---|---|
+| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New |
+| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New |
+|[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |
## November 2015
-
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New |
@@ -161,11 +75,8 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Updated |
| [New policies for Windows 10](new-policies-for-windows-10.md) | Updated |
-
-
## Related topics
-
[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
@@ -174,11 +85,4 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
-
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
new file mode 100644
index 0000000000..df77f2d6aa
--- /dev/null
+++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
@@ -0,0 +1,1271 @@
+---
+title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
+description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
+ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
+keywords: privacy, stop data flow to Microsoft
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+---
+
+# Configure Windows 10 devices to stop data flow to Microsoft
+
+**Applies to**
+
+- Windows 10
+
+If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
+
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+
+If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+
+Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
+
+In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
+
+Here's what's covered in this article:
+
+- [Info management settings](#bkmk-othersettings)
+
+ - [1. Cortana](#bkmk-cortana)
+
+ - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
+
+ - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
+
+ - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
+
+ - [2. Date & Time](#bkmk-datetime)
+
+ - [3. Device metadata retrieval](#bkmk-devinst)
+
+ - [4. Font streaming](#font-streaming)
+
+ - [5. Insider Preview builds](#bkmk-previewbuilds)
+
+ - [6. Internet Explorer](#bkmk-ie)
+
+ - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
+
+ - [6.2 ActiveX control blocking](#bkmk-ie-activex)
+
+ - [7. Live Tiles](#live-tiles)
+
+ - [8. Mail synchronization](#bkmk-mailsync)
+
+ - [9. Microsoft Edge](#bkmk-edge)
+
+ - [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
+
+ - [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
+
+ - [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
+
+ - [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+ - [11. Offline maps](#bkmk-offlinemaps)
+
+ - [12. OneDrive](#bkmk-onedrive)
+
+ - [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+ - [14. Settings > Privacy](#bkmk-settingssection)
+
+ - [14.1 General](#bkmk-priv-general)
+
+ - [14.2 Location](#bkmk-priv-location)
+
+ - [14.3 Camera](#bkmk-priv-camera)
+
+ - [14.4 Microphone](#bkmk-priv-microphone)
+
+ - [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+ - [14.6 Account info](#bkmk-priv-accounts)
+
+ - [14.7 Contacts](#bkmk-priv-contacts)
+
+ - [14.8 Calendar](#bkmk-priv-calendar)
+
+ - [14.9 Call history](#bkmk-priv-callhistory)
+
+ - [14.10 Email](#bkmk-priv-email)
+
+ - [14.11 Messaging](#bkmk-priv-messaging)
+
+ - [14.12 Radios](#bkmk-priv-radios)
+
+ - [14.13 Other devices](#bkmk-priv-other-devices)
+
+ - [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+ - [14.15 Background apps](#bkmk-priv-background)
+
+ - [15. Software Protection Platform](#bkmk-spp)
+
+ - [16. Sync your settings](#bkmk-syncsettings)
+
+ - [17. Teredo](#bkmk-teredo)
+
+ - [18. Wi-Fi Sense](#bkmk-wifisense)
+
+ - [19. Windows Defender](#bkmk-defender)
+
+ - [20. Windows Media Player](#bkmk-wmp)
+
+ - [21. Windows spotlight](#bkmk-spotlight)
+
+ - [22. Windows Store](#bkmk-windowsstore)
+
+ - [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+ - [23.1 Settings > Update & security](#bkmk-wudo-ui)
+
+ - [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
+
+ - [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
+
+ - [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
+
+ - [24. Windows Update](#bkmk-wu)
+
+## What's new in Windows 10, version 1511
+
+
+Here's a list of changes that were made to this article for Windows 10, version 1511:
+
+- Added the following new sections:
+
+ - [Mail synchronization](#bkmk-mailsync)
+
+ - [Offline maps](#bkmk-offlinemaps)
+
+ - [Windows spotlight](#bkmk-spotlight)
+
+ - [Windows Store](#bkmk-windowsstore)
+
+- Added the following Group Policies:
+
+ - Open a new tab with an empty tab
+
+ - Configure corporate Home pages
+
+ - Let Windows apps access location
+
+ - Let Windows apps access the camera
+
+ - Let Windows apps access the microphone
+
+ - Let Windows apps access account information
+
+ - Let Windows apps access contacts
+
+ - Let Windows apps access the calendar
+
+ - Let Windows apps access messaging
+
+ - Let Windows apps control radios
+
+ - Let Windows apps access trusted devices
+
+ - Do not show feedback notifications
+
+ - Turn off Automatic Download and Update of Map Data
+
+ - Force a specific default lock screen image
+
+- Added the AllowLinguisticDataCollection MDM policy.
+
+- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
+
+- Changed the Windows Update section to apply system-wide settings, and not just per user.
+
+## Info management settings
+
+
+This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
+
+- [1. Cortana](#bkmk-cortana)
+
+- [2. Date & Time](#bkmk-datetime)
+
+- [3. Device metadata retrieval](#bkmk-devinst)
+
+- [4. Font streaming](#font-streaming)
+
+- [5. Insider Preview builds](#bkmk-previewbuilds)
+
+- [6. Internet Explorer](#bkmk-ie)
+
+- [7. Live Tiles](#live-tiles)
+
+- [8. Mail synchronization](#bkmk-mailsync)
+
+- [9. Microsoft Edge](#bkmk-edge)
+
+- [10. Network Connection Status Indicator](#bkmk-ncsi)
+
+- [11. Offline maps](#bkmk-offlinemaps)
+
+- [12. OneDrive](#bkmk-onedrive)
+
+- [13. Preinstalled apps](#bkmk-preinstalledapps)
+
+- [14. Settings > Privacy](#bkmk-settingssection)
+
+- [15. Software Protection Platform](#bkmk-spp)
+
+- [16. Sync your settings](#bkmk-syncsettings)
+
+- [17. Teredo](#bkmk-teredo)
+
+- [18. Wi-Fi Sense](#bkmk-wifisense)
+
+- [19. Windows Defender](#bkmk-defender)
+
+- [20. Windows Media Player](#bkmk-wmp)
+
+- [21. Windows spotlight](#bkmk-spotlight)
+
+- [22. Windows Store](#bkmk-windowsstore)
+
+- [23. Windows Update Delivery Optimization](#bkmk-updates)
+
+- [24. Windows Update](#bkmk-wu)
+
+
+See the following table for a summary of the management settings. For more info, see its corresponding section.
+
+
+
+### 1. Cortana
+
+Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
+
+### 1.1 Cortana Group Policies
+
+Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
+
+| Policy | Description |
+|------------------------------------------------------|---------------------------------------------------------------------------------------|
+| Allow Cortana | Choose whether to let Cortana install and run on the device. |
+| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. |
+| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled|
+| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. |
+| Set what information is shared in Search | Control what information is shared with Bing in Search. |
+
+When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
+
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+
+2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+
+3. On the **Rule Type** page, click **Program**, and then click **Next**.
+
+4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+
+5. On the **Action** page, click **Block the connection**, and then click **Next**.
+
+6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+
+7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+
+8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+
+9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+
+ - For **Protocol type**, choose **TCP**.
+
+ - For **Local port**, choose **All Ports**.
+
+ - For **Remote port**, choose **All ports**.
+
+**Note**
+If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
+
+### 1.2 Cortana MDM policies
+
+The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
+| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed|
+
+### 1.3 Cortana Windows Provisioning
+
+To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
+
+### 2. Date & Time
+
+You can prevent Windows from setting the time automatically.
+
+- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
+
+ -or-
+
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
+
+### 3. Device metadata retrieval
+
+To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
+
+### 4. Font streaming
+
+Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
+
+To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
+
+**Note**
+This may change in future versions of Windows.
+
+### 5. Insider Preview builds
+
+To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
+
+- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+
+ -or-
+
+- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+ -or-
+
+- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
+
+ - **0**. Users cannot make their devices available for downloading and installing preview software.
+
+ - **1**. Users can make their devices available for downloading and installing preview software.
+
+ - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
+
+### 6. Internet Explorer
+
+Use Group Policy to manage settings for Internet Explorer.
+
+### 6.1 Internet Explorer Group Policies
+
+Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled|
+| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
+| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
+| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
+
+### 6.2 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+
+For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+
+### 7. Live Tiles
+
+To turn off Live Tiles:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
+
+### 8. Mail synchronization
+
+To turn off mail synchronization for Microsoft Accounts that are configured on a device:
+
+- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
+
+ -or-
+
+- Remove any Microsoft Accounts from the Mail app.
+
+ -or-
+
+- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+
+To turn off the Windows Mail app:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
+
+### 9. Microsoft Edge
+
+Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
+
+### 9.1 Microsoft Edge Group Policies
+
+Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
+
+**Note**
+The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled |
+| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled |
+| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
+| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
+
+### 9.2 Microsoft Edge MDM policies
+
+The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed |
+| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed |
+| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed |
+| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed |
+| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed |
+
+### 9.3 Microsoft Edge Windows Provisioning
+
+Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
+
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
+
+### 10. Network Connection Status Indicator
+
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
+
+You can turn off NCSI through Group Policy:
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+
+### 11. Offline maps
+
+You can turn off the ability to download and update offline maps.
+
+- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+
+### 12. OneDrive
+
+To turn off OneDrive in your organization:
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
+
+### 13. Preinstalled apps
+
+Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
+
+To remove the News app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
+
+To remove the Weather app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
+
+To remove the Money app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
+
+To remove the Sports app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
+
+To remove the Twitter app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
+
+To remove the XBOX app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
+
+To remove the Sway app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
+
+To remove the OneNote app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
+
+To remove the Get Office app:
+
+- Right-click the app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
+
+To remove the Get Skype app:
+
+- Right-click the Sports app in Start, and then click **Uninstall**.
+
+ -or-
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
+
+### 14. Settings > Privacy
+
+Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
+
+- [14.1 General](#bkmk-general)
+
+- [14.2 Location](#bkmk-priv-location)
+
+- [14.3 Camera](#bkmk-priv-camera)
+
+- [14.4 Microphone](#bkmk-priv-microphone)
+
+- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
+
+- [14.6 Account info](#bkmk-priv-accounts)
+
+- [14.7 Contacts](#bkmk-priv-contacts)
+
+- [14.8 Calendar](#bkmk-priv-calendar)
+
+- [14.9 Call history](#bkmk-priv-callhistory)
+
+- [14.10 Email](#bkmk-priv-email)
+
+- [14.11 Messaging](#bkmk-priv-messaging)
+
+- [14.12 Radios](#bkmk-priv-radios)
+
+- [14.13 Other devices](#bkmk-priv-other-devices)
+
+- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
+
+- [14.15 Background apps](#bkmk-priv-background)
+
+### 14.1 General
+
+**General** includes options that don't fall into other areas.
+
+To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
+
+**Note**
+When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
+
+ Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+
+ -or-
+
+- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+
+ -or-
+
+- Create a provisioning package, using:
+
+ - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
+
+ - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
+
+To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
+
+**Note**
+If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
+
+
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **0**. Not allowed
+
+ - **1**. Allowed (default)
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+### 14.2 Location
+
+In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
+
+To turn off **Location for this device**:
+
+- Click the **Change** button in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+
+ -or-
+
+- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Turned off and the employee can't turn it back on.
+
+ - **1**. Turned on, but lets the employee choose whether to use it. (default)
+
+ - **2**. Turned on and the employee can't turn it off.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
+
+ - **No**. Turns off location service.
+
+ - **Yes**. Turns on location service. (default)
+
+To turn off **Location**:
+
+- Turn off the feature in the UI.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+To turn off **Location history**:
+
+- Erase the history using the **Clear** button in the UI.
+
+To turn off **Choose apps that can use your location**:
+
+- Turn off each app using the UI.
+
+### 14.3 Camera
+
+In the **Camera** area, you can choose which apps can access a device's camera.
+
+To turn off **Let apps use my camera**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+ **Note**
+ You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+
+ -or-
+
+- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
+
+ - **0**. Apps can't use the camera.
+
+ - **1**. Apps can use the camera.
+
+To turn off **Choose apps that can use your camera**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.4 Microphone
+
+In the **Microphone** area, you can choose which apps can access a device's microphone.
+
+To turn off **Let apps use my microphone**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can use your microphone**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.5 Speech, inking, & typing
+
+In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
+
+**Note**
+For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
+
+
+
+To turn off the functionality:
+
+- Click the **Stop getting to know me** button, and then click **Turn off**.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
+
+ -and-
+
+ Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+
+### 14.6 Account info
+
+In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
+
+To turn off **Let apps access my name, picture, and other account info**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose the apps that can access your account info**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.7 Contacts
+
+In the **Contacts** area, you can choose which apps can access an employee's contacts list.
+
+To turn off **Choose apps that can access contacts**:
+
+- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.8 Calendar
+
+In the **Calendar** area, you can choose which apps have access to an employee's calendar.
+
+To turn off **Let apps access my calendar**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can access calendar**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.9 Call history
+
+In the **Call history** area, you can choose which apps have access to an employee's call history.
+
+To turn off **Let apps access my call history**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.10 Email
+
+In the **Email** area, you can choose which apps have can access and send email.
+
+To turn off **Let apps access and send email**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.11 Messaging
+
+In the **Messaging** area, you can choose which apps can read or send messages.
+
+To turn off **Let apps read or send messages (text or MMS)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can read or send messages**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.12 Radios
+
+In the **Radios** area, you can choose which apps can turn a device's radio on or off.
+
+To turn off **Let apps control radios**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+To turn off **Choose apps that can control radios**:
+
+- Turn off the feature in the UI for each app.
+
+### 14.13 Other devices
+
+In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
+
+To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
+
+- Turn off the feature in the UI.
+
+To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 14.14 Feedback & diagnostics
+
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+
+To change how frequently **Windows should ask for my feedback**:
+
+**Note**
+Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
+
+
+
+- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
+
+ -or-
+
+- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
+
+ -or-
+
+- Create the registry keys (REG\_DWORD type):
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
+
+ - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
+
+ Based on these settings:
+
+ | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
+ |---------------|-----------------------------|-----------------------------|
+ | Automatically | Delete the registry setting | Delete the registry setting |
+ | Never | 0 | 0 |
+ | Always | 100000000 | Delete the registry setting |
+ | Once a day | 864000000000 | 1 |
+ | Once a week | 6048000000000 | 1 |
+
+
+
+To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
+
+- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
+
+ **Note**
+ You can't use the UI to change the telemetry level to **Security**.
+
+
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
+
+ -or-
+
+- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
+
+ - **0**. Maps to the **Security** level.
+
+ - **1**. Maps to the **Basic** level.
+
+ - **2**. Maps to the **Enhanced** level.
+
+ - **3**. Maps to the **Full** level.
+
+### 14.15 Background apps
+
+In the **Background Apps** area, you can choose which apps can run in the background.
+
+To turn off **Let apps run in the background**:
+
+- Turn off the feature in the UI for each app.
+
+### 15. Software Protection Platform
+
+Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
+
+**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
+
+The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+
+### 16. Sync your settings
+
+You can control if your settings are synchronized:
+
+- In the UI: **Settings** > **Accounts** > **Sync your settings**
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
+
+ -or-
+
+- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+
+ -or-
+
+- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
+
+ - **No**. Settings are not synchronized.
+
+ - **Yes**. Settings are synchronized. (default)
+
+To turn off Messaging cloud sync:
+
+- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
+
+### 17. Teredo
+
+You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+
+- From an elevated command prompt, run **netsh interface teredo set state disabled**
+
+### 18. Wi-Fi Sense
+
+Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
+
+To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
+
+ -or-
+
+- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
+
+ -or-
+
+- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
+
+When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
+
+### 19. Windows Defender
+
+You can opt of the Microsoft Antimalware Protection Service.
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
+
+You can stop sending file samples back to Microsoft.
+
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+
+ -or-
+
+- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Always prompt.
+
+ - **1**. (default) Send safe samples automatically.
+
+ - **2**. Never send.
+
+ - **3**. Send all samples automatically.
+
+ -or-
+
+- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
+
+You can stop downloading definition updates:
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+
+ -and-
+
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
+
+### 20. Windows Media Player
+
+To remove Windows Media Player:
+
+- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
+
+ -or-
+
+- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
+
+### 21. Windows spotlight
+
+Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
+
+- Configure the following in **Settings**:
+
+ - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
+
+ - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
+
+ - **System** > **Notifications & actions** > **Show me tips about Windows**.
+
+ -or-
+
+- Apply the Group Policies:
+
+ - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
+ - Add a location in the **Path to local lock screen image** box.
+
+ - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
+
+ **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+
+
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+
+For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
+
+### 22. Windows Store
+
+You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
+
+### 23. Windows Update Delivery Optimization
+
+Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
+
+By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
+
+Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
+
+### 23.1 Settings > Update & security
+
+You can set up Delivery Optimization from the **Settings** UI.
+
+- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
+
+### 23.2 Delivery Optimization Group Policies
+
+You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
|
+| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+### 23.3 Delivery Optimization MDM policies
+
+The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Policy | Description |
+|---------------------------|-----------------------------------------------------------------------------------------------------|
+| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including 0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
|
+| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates.
** Note** This ID must be a GUID.|
+| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).|
+| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
+| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
+
+
+### 23.4 Delivery Optimization Windows Provisioning
+
+If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
+
+Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
+
+1. Open Windows ICD, and then click **New provisioning package**.
+
+2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
+
+3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
+
+4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
+
+For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
+
+### 24. Windows Update
+
+You can turn off Windows Update by setting the following registry entries:
+
+- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+ -and-
+
+- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
+
+You can turn off automatic updates by doing one of the following. This is not recommended.
+
+- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
+
+ -or-
+
+- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+
+ - **0**. Notify the user before downloading the update.
+
+ - **1**. Auto install the update and then notify the user to schedule a device restart.
+
+ - **2** (default). Auto install and restart.
+
+ - **3**. Auto install and restart at a specified time.
+
+ - **4**. Auto install and restart without end-user control.
+
+ - **5**. Turn off automatic updates.
+
+To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md
new file mode 100644
index 0000000000..58de9307b7
--- /dev/null
+++ b/windows/manage/configure-windows-telemetry-in-your-organization.md
@@ -0,0 +1,295 @@
+---
+description: Use this article to make informed decisions about how you can configure telemetry in your organization.
+title: Configure Windows telemetry in your organization (Windows 10)
+keywords: privacy
+---
+
+# Configure Windows telemetry in your organization
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+- Windows Server 2016 Technical Preview
+
+Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
+
+**Note**
+This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
+
+It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
+
+## Overview
+
+In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM.
+
+Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
+
+Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
+
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for youcr organization.
+
+## How is telemetry data handled by Microsoft?
+
+### Data collection
+
+Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+
+1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
+2. Events are gathered using public operating system event logging and tracing APIs.
+3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
+4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
+
+Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+
+### Data transmission
+
+All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+### Endpoints
+
+The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+
+The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
+
+The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
+
+[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
+
+[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
+
+### Data use and access
+
+Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+
+### Retention
+
+Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
+
+## Telemetry levels
+
+
+This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
+
+The telemetry data is categorized into four levels:
+
+- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
+
+- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+
+- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
+
+The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
+
+
+
+### Security level
+
+The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
+
+**Note**
+If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
+
+
+
+The data gathered at this level includes:
+
+- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+ **Note**
+ You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+
+
+- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+
+ **Note**
+ This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](disconnect-your-organization-from-microsoft.md#windows-defender).
+
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+
+
+
+For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+
+No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+### Basic level
+
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
+
+The data gathered at this level includes:
+
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
+
+ - Device attributes, such as camera resolution and display type
+
+ - Internet Explorer version
+
+ - Battery attributes, such as capacity and type
+
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+
+ - Operating system attributes, such as Windows edition and virtualization state
+
+ - Storage attributes, such as number of drives, type, and size
+
+- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+
+- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+ - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
+
+ - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
+
+ - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+ - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+ - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
+
+### Enhanced level
+
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experiencewith the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+
+The data gathered at this level includes:
+
+- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+
+- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+
+- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+
+If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
+
+### Full level
+
+The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
+
+Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
+
+However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+- Ability to get registry keys.
+
+- All crash dump types, including heap dumps and full dumps.
+
+### Manage your telemetry settings
+
+We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+
+**Important**
+These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+
+You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
+
+The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
+
+### Configure the operating system telemetry level
+
+You can configure your operating system telemetry settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any devicelevel settings.
+
+Use the appropriate value in the table below when you configure the management policy.
+
+| Value | Level | Data gathered |
+|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
+| **0** | Security | Security data only. |
+| **1** | Basic | Security data, and basic system and quality data. |
+| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
+| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
+
+
+
+### Use Group Policy to set the telemetry level
+
+Use a Group Policy object to set your organization’s telemetry level.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Allow Telemetry**.
+
+3. In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the telemetry level
+
+Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+
+### Use Registry Editor to set the telemetry level
+
+Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+
+1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+
+2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+
+3. Type **AllowTelemetry**, and then press ENTER.
+
+4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+
+5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Configure System Center 2016 telemetry
+
+For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
+
+- Turn off telemetry by using the System Center UI Console settings workspace.
+
+- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+
+### Additional telemetry controls
+
+There are a few more settings that you can turn off that may send telemetry information:
+
+- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
+
+- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+
+- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+
+ **Note**
+ Microsoft do not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+
+
+## Examples of how Microsoft uses the telemetry data
+
+
+### Drive higher application and driver quality in the ecosystem
+
+Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
+
+### Reduce your total cost of ownership and downtime
+
+Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
+
+### Build features that address our customers’ needs
+
+Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
\ No newline at end of file
diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md
index 925e0f6684..2adc6e5005 100644
--- a/windows/manage/disconnect-your-organization-from-microsoft.md
+++ b/windows/manage/disconnect-your-organization-from-microsoft.md
@@ -1,1809 +1,4 @@
---
-title: Configure telemetry and other settings in your organization (Windows 10)
-description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
-ms.prod: W10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: brianlic-msft
----
-
-# Configure telemetry and other settings in your organization
-
-
-**Applies to**
-
-- Windows 10
-
-Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
-
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-
-**Note** Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows.
-
-
-
-Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
-
-In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
-
-We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
-
-Here's what's covered in this article:
-
-- [Info management settings](#bkmk-othersettings)
-
- - [1. Cortana](#bkmk-cortana)
-
- - [1.1 Cortana Group Policies](#bkmk-cortana-gp)
-
- - [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
-
- - [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
-
- - [2. Date & Time](#bkmk-datetime)
-
- - [3. Device metadata retrieval](#bkmk-devinst)
-
- - [4. Font streaming](#font-streaming)
-
- - [5. Insider Preview builds](#bkmk-previewbuilds)
-
- - [6. Internet Explorer](#bkmk-ie)
-
- - [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
-
- - [6.2 ActiveX control blocking](#bkmk-ie-activex)
-
- - [7. Mail synchronization](#bkmk-mailsync)
-
- - [8. Microsoft Edge](#bkmk-edge)
-
- - [8.1 Microsoft Edge Group Policies](#bkmk-edgegp)
-
- - [8.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
-
- - [8.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
-
- - [9. Network Connection Status Indicator](#bkmk-ncsi)
-
- - [10. Offline maps](#bkmk-offlinemaps)
-
- - [11. OneDrive](#bkmk-onedrive)
-
- - [12. Preinstalled apps](#bkmk-preinstalledapps)
-
- - [13. Settings > Privacy](#bkmk-settingssection)
-
- - [13.1 General](#bkmk-general)
-
- - [13.2 Location](#bkmk-priv-location)
-
- - [13.3 Camera](#bkmk-priv-camera)
-
- - [13.4 Microphone](#bkmk-priv-microphone)
-
- - [13.5 Speech, inking, & typing](#bkmk-priv-speech)
-
- - [13.6 Account info](#bkmk-priv-accounts)
-
- - [13.7 Contacts](#bkmk-priv-contacts)
-
- - [13.8 Calendar](#bkmk-priv-calendar)
-
- - [13.9 Call history](#bkmk-priv-callhistory)
-
- - [13.10 Email](#bkmk-priv-email)
-
- - [13.11 Messaging](#bkmk-priv-messaging)
-
- - [13.12 Radios](#bkmk-priv-radios)
-
- - [13.13 Other devices](#bkmk-priv-other-devices)
-
- - [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
-
- - [13.15 Background apps](#bkmk-priv-background)
-
- - [14. Software Protection Platform](#bkmk-spp)
-
- - [15. Sync your settings](#bkmk-syncsettings)
-
- - [16. Teredo](#bkmk-teredo)
-
- - [17. Wi-Fi Sense](#bkmk-wifisense)
-
- - [18. Windows Defender](#bkmk-defender)
-
- - [19. Windows Media Player](#bkmk-wmp)
-
- - [20. Windows spotlight](#bkmk-spotlight)
-
- - [21. Windows Store](#bkmk-windowsstore)
-
- - [22. Windows Update Delivery Optimization](#bkmk-updates)
-
- - [22.1 Settings > Update & security](#bkmk-wudo-ui)
-
- - [22.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
-
- - [22.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
-
- - [22.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
-
- - [23. Windows Update](#bkmk-wu)
-
-- [Manage your telemetry settings](#bkmk-utc)
-
-- [How telemetry works](#bkmk-moreutc)
-
-## What's new in Windows 10, version 1511
-
-
-Here's a list of changes that were made to this article for Windows 10, version 1511:
-
-- Added the following new sections:
-
- - [Mail synchronization](#bkmk-mailsync)
-
- - [Offline maps](#bkmk-offlinemaps)
-
- - [Windows spotlight](#bkmk-spotlight)
-
- - [Windows Store](#bkmk-windowsstore)
-
-- Added the following Group Policies:
-
- - Open a new tab with an empty tab
-
- - Configure corporate Home pages
-
- - Let Windows apps access location
-
- - Let Windows apps access the camera
-
- - Let Windows apps access the microphone
-
- - Let Windows apps access account information
-
- - Let Windows apps access contacts
-
- - Let Windows apps access the calendar
-
- - Let Windows apps access messaging
-
- - Let Windows apps control radios
-
- - Let Windows apps access trusted devices
-
- - Do not show feedback notifications
-
- - Turn off Automatic Download and Update of Map Data
-
- - Force a specific default lock screen image
-
-- Added the AllowLinguisticDataCollection MDM policy.
-
-- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
-
-- Added steps in the [Live tiles](#bkmk-livetiles) section on how to remove the Money and Sports apps.
-
-- Changed the Windows Update section to apply system-wide settings, and not just per user.
-
-## Info management settings
-
-
-This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
-
-The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
-
-- [1. Cortana](#bkmk-cortana)
-
-- [2. Date & Time](#bkmk-datetime)
-
-- [3. Device metadata retrieval](#bkmk-devinst)
-
-- [4. Font streaming](#font-streaming)
-
-- [5. Insider Preview builds](#bkmk-previewbuilds)
-
-- [6. Internet Explorer](#bkmk-ie)
-
-- [7. Mail synchronization](#bkmk-mailsync)
-
-- [8. Microsoft Edge](#bkmk-edge)
-
-- [9. Network Connection Status Indicator](#bkmk-ncsi)
-
-- [10. Offline maps](#bkmk-offlinemaps)
-
-- [11. OneDrive](#bkmk-onedrive)
-
-- [12. Preinstalled apps](#bkmk-preinstalledapps)
-
-- [13. Settings > Privacy](#bkmk-settingssection)
-
-- [14. Software Protection Platform](#bkmk-spp)
-
-- [15. Sync your settings](#bkmk-syncsettings)
-
-- [16. Teredo](#bkmk-teredo)
-
-- [17. Wi-Fi Sense](#bkmk-wifisense)
-
-- [18. Windows Defender](#bkmk-defender)
-
-- [19. Windows Media Player](#bkmk-wmp)
-
-- [20. Windows spotlight](#bkmk-spotlight)
-
-- [21. Windows Store](#bkmk-windowsstore)
-
-- [22. Windows Update](#bkmk-wu)
-
-- [23. Windows Update Delivery Optimization](#bkmk-updates)
-
-See the following table for a summary of the management settings. For more info, see its corresponding section.
-
-
-
-### 1. Cortana
-
-Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
-
-### 1.1 Cortana Group Policies
-
-Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
-
-
-
-
-
-
-
-
-
-
-
-Allow Cortana |
-Choose whether to let Cortana install and run on the device.
-Default: Enabled |
-
-
-Allow search and Cortana to use location |
-Choose whether Cortana and Search can provide location-aware search results.
-Default: Enabled |
-
-
-Do not allow web search |
-Choose whether to search the web from Windows Desktop Search.
-Default: Disabled |
-
-
-Don't search the web or display web results in Search |
-Choose whether to search the web from Cortana.
-Default: Disabled |
-
-
-Set what information is shared in Search |
-Control what information is shared with Bing in Search. |
-
-
-
-
-
-
-When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
-
-1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
-
-2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
-
-3. On the **Rule Type** page, click **Program**, and then click **Next**.
-
-4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
-
-5. On the **Action** page, click **Block the connection**, and then click **Next**.
-
-6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
-
-7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
-
-8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
-
-9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
-
- - For **Protocol type**, choose **TCP**.
-
- - For **Local port**, choose **All Ports**.
-
- - For **Remote port**, choose **All ports**.
-
-**Note**
-If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
-
-
-
-### 1.2 Cortana MDM policies
-
-The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-Experience/AllowCortana |
-Choose whether to let Cortana install and run on the device.
-Default: Allowed |
-
-
-Search/AllowSearchToUseLocation |
-Choose whether Cortana and Search can provide location-aware search results.
-Default: Allowed |
-
-
-
-
-
-
-### 1.3 Cortana Windows Provisioning
-
-To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**.
-
-### 2. Date & Time
-
-You can prevent Windows from setting the time automatically.
-
-- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **NoSync** in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters**, with a value of 1.
-
-### 3. Device metadata retrieval
-
-To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-
-### 4. Font streaming
-
-Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
-
-To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
-
-**Note**
-This may change in future versions of Windows.
-
-
-
-### 5. Insider Preview builds
-
-To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
-
-- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
-
- -or-
-
-- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-
- -or-
-
-- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where:
-
- - **0**. Users cannot make their devices available for downloading and installing preview software.
-
- - **1**. Users can make their devices available for downloading and installing preview software.
-
- - **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-
-### 6. Internet Explorer
-
-Use Group Policy to manage settings for Internet Explorer.
-
-### 6.1 Internet Explorer Group Policies
-
-Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
-
-
-
-
-
-
-
-
-
-
-
-Turn on Suggested Sites |
-Choose whether an employee can configure Suggested Sites.
-Default: Enabled
-You can also turn this off in the UI by clearing the Internet Options > Advanced > Enable Suggested Sites check box. |
-
-
-Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar |
-Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
-Default: Enabled |
-
-
-Turn off the auto-complete feature for web addresses |
-Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
-Default: Disabled
-You can also turn this off in the UI by clearing the Internet Options > Advanced > Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog check box. |
-
-
-Disable Periodic Check for Internet Explorer software updates |
-Choose whether Internet Explorer periodically checks for a new version.
-Default: Enabled |
-
-
-Turn off browser geolocation |
-Choose whether websites can request location data from Internet Explorer.
-Default: Disabled |
-
-
-
-
-
-
-### 6.2 ActiveX control blocking
-
-ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
-
-For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
-
-### 7. Mail synchronization
-
-To turn off mail synchronization for Microsoft Accounts that are configured on a device:
-
-- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
-
- -or-
-
-- Remove any Microsoft Accounts from the Mail app.
-
- -or-
-
-- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
-
-To turn off the Windows Mail app:
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-
-### 8. Microsoft Edge
-
-Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
-
-### 8.1 Microsoft Edge Group Policies
-
-Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
-
-**Note**
-The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Turn off autofill |
-Choose whether employees can use autofill on websites.
-Default: Enabled |
-
-
-Allow employees to send Do Not Track headers |
-Choose whether employees can send Do Not Track headers.
-Default: Disabled |
-
-
-Turn off password manager |
-Choose whether employees can save passwords locally on their devices.
-Default: Enabled |
-
-
-Turn off address bar search suggestions |
-Choose whether the address bar shows search suggestions.
-Default: Enabled |
-
-
-Turn off the SmartScreen Filter |
-Choose whether SmartScreen is turned on or off.
-Default: Enabled |
-
-
-Open a new tab with an empty tab |
-Choose whether a new tab page appears.
-Default: Enabled |
-
-
-Configure corporate Home pages |
-Choose the corporate Home page for domain-joined devices.
-Set this to about:blank |
-
-
-
-
-
-
-### 8.2 Microsoft Edge MDM policies
-
-The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-Browser/AllowAutoFill |
-Choose whether employees can use autofill on websites.
-Default: Allowed |
-
-
-Browser/AllowDoNotTrack |
-Choose whether employees can send Do Not Track headers.
-Default: Not allowed |
-
-
-Browser/AllowPasswordManager |
-Choose whether employees can save passwords locally on their devices.
-Default: Allowed |
-
-
-Browser/AllowSearchSuggestionsinAddressBar |
-Choose whether the address bar shows search suggestions.
-Default: Allowed |
-
-
-Browser/AllowSmartScreen |
-Choose whether SmartScreen is turned on or off.
-Default: Allowed |
-
-
-
-
-
-
-### 8.3 Microsoft Edge Windows Provisioning
-
-Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**.
-
-For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-
-### 9. Network Connection Status Indicator
-
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
-
-You can turn off NCSI through Group Policy:
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
-
-### 10. Offline maps
-
-You can turn off the ability to download and update offline maps.
-
-- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps**
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
-
-### 11. OneDrive
-
-To turn off OneDrive in your organization:
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-
-### 12. Preinstalled apps
-
-Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
-
-To remove the News app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage**
-
-To remove the Weather app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage**
-
-To remove the Money app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage**
-
-To remove the Sports app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage**
-
-To remove the Twitter app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage**
-
-To remove the XBOX app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage**
-
-To remove the Sway app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage**
-
-To remove the OneNote app:
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage**
-
-To remove the Get Office app:
-
-- Right-click the app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage**
-
-To remove the Get Skype app:
-
-- Right-click the Sports app in Start, and then click **Uninstall**.
-
- -or-
-
-- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-
- -and-
-
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-
-### 13. Settings > Privacy
-
-Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-
-- [13.1 General](#bkmk-general)
-
-- [13.2 Location](#bkmk-priv-location)
-
-- [13.3 Camera](#bkmk-priv-camera)
-
-- [13.4 Microphone](#bkmk-priv-microphone)
-
-- [13.5 Speech, inking, & typing](#bkmk-priv-speech)
-
-- [13.6 Account info](#bkmk-priv-accounts)
-
-- [13.7 Contacts](#bkmk-priv-contacts)
-
-- [13.8 Calendar](#bkmk-priv-calendar)
-
-- [13.9 Call history](#bkmk-priv-callhistory)
-
-- [13.10 Email](#bkmk-priv-email)
-
-- [13.11 Messaging](#bkmk-priv-messaging)
-
-- [13.12 Radios](#bkmk-priv-radios)
-
-- [13.13 Other devices](#bkmk-priv-other-devices)
-
-- [13.14 Feedback & diagnostics](#bkmk-priv-feedback)
-
-- [13.15 Background apps](#bkmk-priv-background)
-
-### 13.1 General
-
-**General** includes options that don't fall into other areas.
-
-To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
-
-**Note**
-When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
-
-
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
-
- -or-
-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
-
-To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**.
-
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
-
- -or-
-
-- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-
- -or-
-
-- Create a provisioning package, using:
-
- - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen**
-
- - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
-
-To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
-
-**Note**
-If the telemetry level is set to either [Basic](#bkmk-utc-basic) or [Security](#bkmk-utc-security), this is turned off automatically.
-
-
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
-
- - **0**. Not allowed
-
- - **1**. Allowed (default)
-
-To turn off **Let websites provide locally relevant content by accessing my language list**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
-
-### 13.2 Location
-
-In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
-
-To turn off **Location for this device**:
-
-- Click the **Change** button in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-
- -or-
-
-- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Turned off and the employee can't turn it back on.
-
- - **1**. Turned on, but lets the employee choose whether to use it. (default)
-
- - **2**. Turned on and the employee can't turn it off.
-
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-
-
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where
-
- - **No**. Turns off location service.
-
- - **Yes**. Turns on location service. (default)
-
-To turn off **Location**:
-
-- Turn off the feature in the UI.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
-
- - Set the **Select a setting** box to **Force Deny**.
-
- -or-
-
-To turn off **Location history**:
-
-- Erase the history using the **Clear** button in the UI.
-
-To turn off **Choose apps that can use your location**:
-
-- Turn off each app using the UI.
-
-### 13.3 Camera
-
-In the **Camera** area, you can choose which apps can access a device's camera.
-
-To turn off **Let apps use my camera**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
-
- - Set the **Select a setting** box to **Force Deny**.
-
- -or-
-
-- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
-
- **Note**
- You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-
-
-
- -or-
-
-- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
-
- - **0**. Apps can't use the camera.
-
- - **1**. Apps can use the camera.
-
-To turn off **Choose apps that can use your camera**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.4 Microphone
-
-In the **Microphone** area, you can choose which apps can access a device's microphone.
-
-To turn off **Let apps use my microphone**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can use your microphone**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.5 Speech, inking, & typing
-
-In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
-
-**Note**
-For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
-
-
-
-To turn off the functionality:
-
-- Click the **Stop getting to know me** button, and then click **Turn off**.
-
- -or-
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
-
- -or-
-
-- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
-
- -and-
-
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
-
-### 13.6 Account info
-
-In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
-
-To turn off **Let apps access my name, picture, and other account info**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose the apps that can access your account info**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.7 Contacts
-
-In the **Contacts** area, you can choose which apps can access an employee's contacts list.
-
-To turn off **Choose apps that can access contacts**:
-
-- Turn off the feature in the UI for each app.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.8 Calendar
-
-In the **Calendar** area, you can choose which apps have access to an employee's calendar.
-
-To turn off **Let apps access my calendar**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can access calendar**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.9 Call history
-
-In the **Call history** area, you can choose which apps have access to an employee's call history.
-
-To turn off **Let apps access my call history**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.10 Email
-
-In the **Email** area, you can choose which apps have can access and send email.
-
-To turn off **Let apps access and send email**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.11 Messaging
-
-In the **Messaging** area, you can choose which apps can read or send messages.
-
-To turn off **Let apps read or send messages (text or MMS)**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can read or send messages**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.12 Radios
-
-In the **Radios** area, you can choose which apps can turn a device's radio on or off.
-
-To turn off **Let apps control radios**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-To turn off **Choose apps that can control radios**:
-
-- Turn off the feature in the UI for each app.
-
-### 13.13 Other devices
-
-In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
-
-To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
-
-- Turn off the feature in the UI.
-
-To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices**
-
- - Set the **Select a setting** box to **Force Deny**.
-
-### 13.14 Feedback & diagnostics
-
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
-
-To change how frequently **Windows should ask for my feedback**:
-
-**Note**
-Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
-
-
-
-- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
-
- -or-
-
-- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
-
- -or-
-
-- Create the registry keys (REG\_DWORD type):
-
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
-
- - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod
-
- Based on these settings:
-
- | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod |
- |---------------|-----------------------------|-----------------------------|
- | Automatically | Delete the registry setting | Delete the registry setting |
- | Never | 0 | 0 |
- | Always | 100000000 | Delete the registry setting |
- | Once a day | 864000000000 | 1 |
- | Once a week | 6048000000000 | 1 |
-
-
-
-To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
-
-- To change from [Enhanced](#bkmk-utc-enhanced), use the drop-down list in the UI. The other levels are **Basic** and **Full**. For more info about these levels, see [How telemetry works](#bkmk-moreutc).
-
- **Note**
- You can't use the UI to change the telemetry level to [Security](#bkmk-utc-security).
-
-
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry**
-
- -or-
-
-- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
- - **3**. Maps to the [Full](#bkmk-utc-full) level.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where:
-
- - **0**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
- - **3**. Maps to the [Full](#bkmk-utc-full) level.
-
-### 13.15 Background apps
-
-In the **Background Apps** area, you can choose which apps can run in the background.
-
-To turn off **Let apps run in the background**:
-
-- Turn off the feature in the UI for each app.
-
-### 14. Software Protection Platform
-
-Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
-
-**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation**
-
-The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-
-### 15. Sync your settings
-
-You can control if your settings are synchronized:
-
-- In the UI: **Settings** > **Accounts** > **Sync your settings**
-
- -or-
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**
-
- -or-
-
-- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
-
- -or-
-
-- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where
-
- - **No**. Settings are not synchronized.
-
- - **Yes**. Settings are synchronized. (default)
-
-To turn off Messaging cloud sync:
-
-- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-
-### 16. Teredo
-
-You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
-
-- From an elevated command prompt, run **netsh interface teredo set state disabled**
-
-### 17. Wi-Fi Sense
-
-Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
-
-To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
-
-- Turn off the feature in the UI.
-
- -or-
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
-
- -or-
-
-- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero).
-
- -or-
-
-- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
-
- -or-
-
-- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed.](http://go.microsoft.com/fwlink/p/?LinkId=620910)
-
-When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-
-### 18. Windows Defender
-
-You can opt of the Microsoft Antimalware Protection Service.
-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
-
- -or-
-
-- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
-
-You can stop sending file samples back to Microsoft.
-
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
-
- -or-
-
-- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Always prompt.
-
- - **1**. (default) Send safe samples automatically.
-
- - **2**. Never send.
-
- - **3**. Send all samples automatically.
-
- -or-
-
-- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send.
-
-You can stop downloading definition updates:
-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-
- -and-
-
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
-
-You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-
-### 19. Windows Media Player
-
-To remove Windows Media Player:
-
-- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**.
-
- -or-
-
-- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-
-### 20. Windows spotlight
-
-Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
-
-- Configure the following in **Settings**:
-
- - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**.
-
- - **Personalization** > **Start** > **Occasionally show suggestions in Start**.
-
- - **System** > **Notifications & actions** > **Show me tips about Windows**.
-
- -or-
-
-- Apply the Group Policies:
-
- - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
- - Add a location in the **Path to local lock screen image** box.
-
- - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
-
- **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
-
-
-
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
-
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
-
-For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
-
-### 21. Windows Store
-
-You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-
-### 22. Windows Update Delivery Optimization
-
-Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization’s PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
-
-By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
-
-Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
-
-### 22.1 Settings > Update & security
-
-You can set up Delivery Optimization from the **Settings** UI.
-
-- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-
-### 22.2 Delivery Optimization Group Policies
-
-You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
-
-
-
-
-
-
-
-
-
-
-
-Download Mode |
-Lets you choose where Delivery Optimization gets or sends updates and apps, including
-
-None. Turns off Delivery Optimization. Group. Gets or sends updates and apps to PCs on the same local network domain. Internet. Gets or sends updates and apps to PCs on the Internet. LAN. Gets or sends updates and apps to PCs on the same NAT only. |
-
-
-Group ID |
-Lets you provide a Group ID that limits which PCs can share apps and updates.
-
- Note
- This ID must be a GUID.
-
-
- |
-
-
-Max Cache Age |
-Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
-The default value is 259200 seconds (3 days). |
-
-
-Max Cache Size |
-Lets you specify the maximum cache size as a percentage of disk size.
-The default value is 20, which represents 20% of the disk. |
-
-
-Max Upload Bandwidth |
-Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
-The default value is 0, which means unlimited possible bandwidth. |
-
-
-
-
-
-
-### 22.3 Delivery Optimization MDM policies
-
-The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
-
-
-
-
-
-
-
-
-
-
-
-DeliveryOptimization/DODownloadMode |
-Lets you configure where Delivery Optimization gets or sends updates and apps, including:
-
-0. Turns off Delivery Optimization. 1. Gets or sends updates and apps to PCs on the same NAT only. 2. Gets or sends updates and apps to PCs on the same local network domain. 3. Gets or sends updates and apps to PCs on the Internet. |
-
-
-DeliveryOptimization/DOGroupID |
-Lets you provide a Group ID that limits which PCs can share apps and updates.
-
- Note
- This ID must be a GUID.
-
-
- |
-
-
-DeliveryOptimization/DOMaxCacheAge |
-Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
-The default value is 259200 seconds (3 days). |
-
-
-DeliveryOptimization/DOMaxCacheSize |
-Lets you specify the maximum cache size as a percentage of disk size.
-The default value is 20, which represents 20% of the disk. |
-
-
-DeliveryOptimization/DOMaxUploadBandwidth |
-Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
-The default value is 0, which means unlimited possible bandwidth. |
-
-
-
-
-
-
-### 22.4 Delivery Optimization Windows Provisioning
-
-If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
-
-Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization.
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next.**
-
-3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies.
-
-For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
-
-### 23. Windows Update
-
-You can turn off Windows Update by setting the following registry entries:
-
-- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-
- -and-
-
-- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-
-You can turn off automatic updates by doing one of the following. This is not recommended.
-
-- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.
-
- -or-
-
-- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
-
- - **0**. Notify the user before downloading the update.
-
- - **1**. Auto install the update and then notify the user to schedule a device restart.
-
- - **2** (default). Auto install and restart.
-
- - **3**. Auto install and restart at a specified time.
-
- - **4**. Auto install and restart without end-user control.
-
- - **5**. Turn off automatic updates.
-
-To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-
-## Manage your telemetry settings
-
-
-You can manage your telemetry settings using the management tools you're already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
-
-You can set your organization's devices to use 1 of 4 telemetry levels:
-
-- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions)
-
-- [Basic](#bkmk-utc-basic)
-
-- [Enhanced](#bkmk-utc-enhanced)
-
-- [Full](#bkmk-utc-full)
-
-For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced).
-
-**Important**
-These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
-
-
-
-### Use Group Policy to set the telemetry level
-
-Use a Group Policy object to set your organization’s telemetry level.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-
-2. Double-click **Allow Telemetry**.
-
-3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-
-### Use MDM to set the telemetry level
-
-Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values:
-
-- **0**. Maps to the [Security](#bkmk-utc-security) level.
-
-- **1**. Maps to the [Basic](#bkmk-utc-basic) level.
-
-- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
-
-- **3**. Maps to the [Full](#bkmk-utc-full) level.
-
-### Use Windows Provisioning to set the telemetry level
-
-Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool - part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organization's telemetry level.
-
-After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD.
-
-**To use Windows ICD to integrate your package into a custom image**
-
-1. Open Windows ICD, and then click **New provisioning package**.
-
-2. In the **Name** box, type a name for the provisioning package, and then click **Next**.
-
-3. Click **Common to all Windows editions** > **Next** > **Finish**.
-
-4. Go to **Runtime settings** > **Policies** > **System** > **AllowTelemetry** to configure the policies. You can set it to one of the following:
-
- - **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level.
-
- - **Basic**. Maps to the [Basic](#bkmk-utc-basic) level.
-
- - **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level
-
- - **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level.
-
-5. After you've added all of your settings to the provisioning package, click **Export** > **Provisioning package**.
-
-6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** > **Next**.
-
-7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**.
-
-8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**.
-
-9. On the **Build the provisioning package** step, click **Build**.
-
-### Use Registry Editor to set the telemetry level
-
-Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry.
-
-If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting.
-
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
-
-2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**.
-
-3. Type **AllowTelemetry**, and then press ENTER.
-
-4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**.
-
- - **0**. This setting maps to the [Security](#bkmk-utc-security) level.
-
- - **1**. This setting maps to the [Basic](#bkmk-utc-basic) level.
-
- - **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level
-
- - **3**. This setting maps to the [Full](#bkmk-utc-full) level.
-
-5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-
-### Additional telemetry controls
-
-There are a few more settings that you can turn off that may send telemetry information:
-
-- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
-
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
-
-- Turn off Linguistic Data Collection in **Settings** > **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article.
-
- **Note**
- Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
-
-
-## How telemetry works
-
-
-Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization.
-
-### Telemetry levels
-
-This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
-
-- **Security**. Information that's required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
-
-- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
-
-- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
-
-- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
-
-As a diagram:
-
-
-
-### Security level
-
-The Security level gathers only telemetry info that's required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
-
-**Note**
-If your organization relies on Windows Update for updates, you shouldn't use the Security level. Because no Windows Update information is gathered at this level, Microsoft can't tell whether an update successfully installed.
-
-You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level.
-
-
-
-Security level info includes:
-
-- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
-
- **Note**
- You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
-
-
-
-- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender).
-
- **Note**
- This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
-
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality.
-
-
-
-No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer's registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
-
-To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article.
-
-### Basic level
-
-The Basic level gathers a limited set of info that’s critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version.
-
-Basic level info includes:
-
-- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including:
-
- - Device attributes, such as camera resolution and display type
-
- - Internet Explorer version
-
- - Battery attributes, such as capacity and type
-
- - Networking attributes, such as mobile operator network and IMEI number
-
- - Processor and memory attributes, such as number of cores, speed, and firmware
-
- - Operating system attributes, such as Windows edition and IsVirtualDevice
-
- - Storage attributes, such as number of drives and memory size
-
-- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems.
-
- - **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
-
- - **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver info**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
-
-### Enhanced level
-
-The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-
-Enhanced level info includes:
-
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components.
-
-- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge.
-
-- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-
-If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang.
-
-### Full level
-
-The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
-
-Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
-
-If a device experiences problems that are difficult to identify or repeat using Microsoft's internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
-
-However, before more info is gathered, Microsoft's privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-
-- Ability to get registry keys.
-
-- Ability to gather user content, such as documents, if they might have been the trigger for the issue.
-
-### How is telemetry information handled by Microsoft?
-
-### Collection
-
-Information gathered by the Connected User Experience and Telemetry component complies with Microsoft's security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info.
-
-### Data Transfer
-
-All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-
-### Microsoft Data Management Service
-
-The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store that's locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings.
-
-### Usage
-
-Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis.
-
-An example of personalization is to create individually tailored in-product messages.
-
-Microsoft doesn't share organization-specific customer information with third parties, except at the customer's direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals.
-
-### Retention
-
-Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as it's needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
-
-
-
-
-
+title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
+redirect_url: http://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft
+---
\ No newline at end of file
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index f4f70c7983..8cb184da6b 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -34,7 +34,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps:
-- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx).
+- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
- **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx).
diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png
index 1a4aff8def..527d92d9b2 100644
Binary files a/windows/manage/images/settings-table.png and b/windows/manage/images/settings-table.png differ
diff --git a/windows/manage/images/wsfb-paid-app-temp.png b/windows/manage/images/wsfb-paid-app-temp.png
new file mode 100644
index 0000000000..89e3857d07
Binary files /dev/null and b/windows/manage/images/wsfb-paid-app-temp.png differ
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index ffe9e7c732..789cf15e86 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -43,30 +43,36 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
-[Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) |
-Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) |
+Use this article to make informed decisions about how you can configure Windows telemetry in your organization. |
+[Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) |
+Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
+
+
[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) |
IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. |
-
+
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |
Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
-
+
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) |
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
-
+
[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) |
There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. |
-
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 4108cd3ae2..616e800b95 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -538,6 +538,10 @@ After you deploy your devices, you can still configure lockdown settings through
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as < in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
+## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
+
## Related topics
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index dca8bf4608..227070a768 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -94,6 +94,7 @@ For more information about the MDM protocols, see [Mobile device management](htt
## Learn more
+[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627898.aspx)
[Windows 10, Azure AD and Microsoft Intune: Automatic MDM Enrollment](http://go.microsoft.com/fwlink/p/?LinkId=623321)
diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md
new file mode 100644
index 0000000000..0a364336aa
--- /dev/null
+++ b/windows/manage/manage-inventory-windows-store-for-business.md
@@ -0,0 +1,70 @@
+---
+title: Manage inventory in Windows Store for Business (Windows 10)
+description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
+redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+---
+
+# Manage inventory in Window Store for Business
+When you acquire apps from the Windows Store for Business, we add them to the inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
+
+## Distribute apps
+You can assign apps to people, or you can make apps available in your private store. Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
+
+**To make an app in inventory available in your private store**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
+4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
+
+The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
+
+Employees can claim apps that admins added to the private store by doing the following.
+
+**To claim an app from the private store**
+
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+2. Click the private store tab.
+3. Click the app you want to install, and then click **Install**.
+
+Another way to distribute apps is by assigning them to people in your organization.
+
+**To assign an app to an employee**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
+4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
+
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+
+## Manage licenses
+For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store.
+
+**To assign licenses**
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **View license details**.
+4. Click **Assign to people**, type the name you are assigning the license to, and then click **Assign**.
+
+Store for Business assigns a license to the person, and adds them to the list of assigned licenses.
+
+**To reclaim licenses**
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **View license details**.
+4. Click the name of the person you are reclaiming the license from, and then click **Reclaim licenses**.
+
+Store for Business reclaims the license, and updates the number of avialable licenses. After you reclaim a license, you can assign a license to another employee.
+
+**To remove an app from the private store**
+
+If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
+
+The app will still be in your inventory, but your employees will not have access to the app from your private store.
diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md
new file mode 100644
index 0000000000..d698699806
--- /dev/null
+++ b/windows/manage/manage-orders-windows-store-for-business.md
@@ -0,0 +1,70 @@
+---
+title: Manage app orders in Windows Store for Business (Windows 10)
+description: You can view your order history with Windows Store for Business.
+ms.prod: W10
+ms.mktglfcycl: manage
+ms.sitesec: library
+---
+
+# Manage app orders in Windows Store for Business
+
+After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can buy more license for an app, view invoices, and request refunds.
+
+**Order history** lists orders in chronological order and shows:
+- Date ordered
+- Product name
+- Product publisher
+- Total cost
+- Order status.
+
+Click to expand an order, and the following info is available:
+- Who purchased the app
+- Order number
+- Quantity purchased
+- Cost breakdown
+- Links to view your invoice, buy more, or request a refund
+
+## Invoices
+
+Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records.
+
+## Buy more licenses
+
+You can purchase more copies of apps that are in your order history.
+
+**To buy more licenses**
+
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Order history**.
+3. Click an order, and then click **Buy more**.
+
+You can buy more copies of the app from the product page.
+
+## Refund an order
+
+Refunds work a little differently for free apps, and apps that have a price. In both cases, you must reclaim licenses before requesting a refund.
+
+**Refunds for free apps**
+
+ For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory.
+
+ **Refunds for apps that have a price**
+
+ There are a few requirements for apps that have a price:
+ - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30.
+ - **Avaialble licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization.
+ - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory.
+
+**To refund an order**
+
+Reclaim licenses, and then request a refund. If you haven't assigned licenses, start on step 5.
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Manage**, and then choose **Inventory**.
+3. Find the app you want to refund, click the ellipses under **Action**, and then choose **View license details**.
+4. Select the number of licenses you need to reclaim, and then click **Reclaim licenses**.
+5. Click **Manage**, and then choose **Order history**.
+6. Click the order you want to refund, and click **Refund order**.
+
+For free apps, the app will be removed from your inventory.
+
+For apps with a price, your payment option will be refunded with the cost of the app, and the app will be removed from your inventory.
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index 32c891b331..cc81d0801d 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -74,7 +74,9 @@ A Universal Windows app is built on the Universal Windows Platform (UWP), which
-
+ ## Learn more
+
+[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index b88902b04f..55945ea84b 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -350,7 +350,9 @@ Modify the following PowerShell script as appropriate. The comments in the sampl
$ShellLauncherClass.SetEnabled($TRUE)
- “`nEnabled is set to “ + $DefaultShellObject.IsEnabled()
+ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+ “`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md
index 35d9b8a61c..b3b1cf9083 100644
--- a/windows/manage/settings-reference-windows-store-for-business.md
+++ b/windows/manage/settings-reference-windows-store-for-business.md
@@ -21,11 +21,10 @@ The Windows Store for Business has a group of settings that admins use to manage
| | |
|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Setting | Description |
-| Account information | Provides info on these configured settings for your Store for Business account . These settings include: country or region, default domain, organization name, and language preference. You can make updates to these settings with Office 365 or Azure management portals. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md). |
+| Account information | Manage organization and payment option information. For more information, see [Manage settings for the Windows Store for Business](manage-settings-windows-store-for-business.md).Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps.md).|
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). |
| LOB publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). |
| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). |
-| Offline licensing | Configure whether or not to make offline-licensed apps available in the Store for Business. For more information, see [Distribute offline apps](distribute-offline-apps.md). |
| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md). |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). |
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 04f6c8e8a7..0150a4f7e4 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -1,7 +1,6 @@
---
title: Update Windows Store for Business account settings (Windows 10)
description: The Account information page in Windows Store for Business shows information about your organization that you can update, including country or region, organization name, default domain, and language preference.
-ms.assetid: CEFFF451-D7D2-4A35-AF28-4A72B9582585
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -16,39 +15,124 @@ author: TrudyHa
- Windows 10
- Windows 10 Mobile
-The **Account information** page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business
+The **Account information** page in Windows Store for Business allows you to manage organization information, payment options, and offline licensing settings. The organization information and payment options are required before you can acquire apps that have a price.
-If you need to change any of these settings, you can use Office 365 admin portal, or Azure admin portal.
+## Organization information
+
+We’ll need your business address, email contact, and tax-exemption certificates that apply to your country or locale.
+
+**Business address and email contact**
Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address .
-**To make updates to Store for Business directory settings in Office 365**
+We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through the Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in the Windows Store for Business. If we don’t have an address,we’ll ask you to enter it during your first purchase.
-1. [Sign in to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=708616) with your work or school account.
+We need an email address in case we need to contact you about your Store for Business account. This email account should reach the admin for your organization’s O365 or Azure AD tenant that is used with Store for Business.
-2. Go to the [Office 365 admin center](http://go.microsoft.com/fwlink/p/?LinkId=708620).
+To update Organization information, click **Edit organization information**.
-3. Select your organization's name on the right side of the page.
+## Organization tax information ##
+Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
+- Austria
+- Belgium
+- Croatia
+- Czech Republic
+- Denmark
+- Finland
+- France
+- Germany
+- Greece
+- Hungary
+- Ireland
+- Italy
+- Malta
+- Netherlands
+- Norway
+- Poland
+- Portugal
+- Romania
+- Slovakia
+- South Africa
+- Spain
+- Sweden
+- Switzerland
+- United Kingdom
-4. Change the information you want to update, and then click **Save.**
+These countries can provide their VAT number or local equivalent in **Account information**. However, they can only acquire free apps.
-For more information about updating organization information, see [Change your organization's address, technical contact email, and other information](http://go.microsoft.com/fwlink/p/?LinkId=708621).
-
-**To make updates to Store for Business directory settings in Azure management portal**
-
-1. Sign in to the Azure Portal as Administrator.
-
-2. Click **Active Directory**.
-
-3. On the **Directory** tab, choose your directory
-
-4. Click the **Configure** tab.
-
-For more information about updating organization information, see [Add your own domain name in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=708622).
-
-
-
-
+|Market| Tax identifier |
+|------|----------------|
+| Brazil | CPNJ (required), CCMID (optional) |
+| India | CST ID, VAT ID |
+| Taiwan | Unified business number|
+**Tax-exempt status**
+
+If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization.
+
+**To start a service request**
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+2. Click **Support**, and then under **Store or account support** click **Start a service request**.
+
+You’ll need this documentation:
+
+|Country or locale | Documentation |
+|------------------|----------------|
+| United States | Sales Tax Exemption Certificate |
+| Canada | Certificate of Exemption (or equivalent letter of authorization) |
+| Ireland | 13B/56A Tax Exemption Certificate|
+| International organizations that hold tax exaemption | Certification / letter confirmation from local tax authorities |
+**Calculating tax**
+
+Sales taxes are calculated against the unit price, and then aggregated.
+
+For example:
+(unit price X tax rate) X quantity = total sales tax
+
+-or-
+
+($1.29 X .095) X 100 = $12.25
+
+##Payment options##
+You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards:
+1. VISA
+2. MasterCard
+3. Discover
+4. American Express
+5. Japan Commercial Bureau (JCB)
+
+**Note**:
+Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
+
+**To add a new payment option**
+
+1. Sign in to [Store for Business](http://businessstore.microsoft.com).
+2. Click **Settings**, and then click **Account information**.
+3. Under **My payment options**, tap or click **Show my payment options**, and then select the type of credit card that you want to add.
+4. Add information to any required fields, and then click **Next**.
+
+Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
+
+**Note**:
When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation.
+
+**To update a payment option**:
+
+1. Sign in to [Store for Business](http://businessstore.microsoft.com).
+2. Click **Settings**, and then click **Account information**.
+3. Under My payment options > Credit Cards, select the payment option that you want to update, and then click Update.
+4. Enter any updated information in the appropriate fields, and then click Next.
+Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
+
+**Note**:
Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance.
+
+##Offline licensing##
+
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
+
+You have the following distribution options for offline-licensed apps:
+- Include the app in a provisioning package, and then use it as part of imaging a device.
+- Distribute the app through a management tool.
+For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md).
+
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index 0e347899ad..e2155e0da8 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -1107,9 +1107,6 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile
| Allow Search Suggestions in Address Bar | Whether search suggestions are shown in the address bar |
| Allow SmartScreen | Whether SmartScreen Filter is enabled |
| First Run URL | The URL to open when a user launches Microsoft Edge for the first time |
-| Include Sites Bypassing Proxy In Intranet Sites | Whether websites that bypass the proxy server are able to use the Intranet security zone |
-| Include UNC Paths In Intranet Sites | Whether URL paths can represent Universal Naming Convention (UNC) paths in the Intranet security zone |
-| Intranet Sites | A list of the websites that are in the Intranet security zone |
| Prevent Smart Screen Prompt Override For Files | Whether users can override the SmartScreen Filter warnings about downloading unverified files |
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index c83721ef37..826c149308 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -52,7 +52,7 @@ The following table lists the different parts of Start and any applicable policy
-and-
Dynamically inserted app tile
MDM: Allow Windows Consumer Features
-Group Policy: Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences
+Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences
Note
This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index 262e5704c5..a8a36b3268 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -41,7 +41,7 @@ What you'll have to set up:
- LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
-### Add an LOB publisher (admin)
+### Add an LOB publisher (Store for Business Admin)
For developers within your own organization, or ISVs you're working with to create LOB apps, you'll need to invite them to become a LOB publisher.
@@ -49,7 +49,8 @@ For developers within your own organization, or ISVs you're working with to crea
1. Sign in to the [Windows Store for Business]( http://go.microsoft.com/fwlink/p/?LinkId=623531).
2. Click **Settings**, and then choose **LOB publishers**.
-3. On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
+3. On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
+**Note** This needs to be the email address listed in contact info for the developer account.
### Submit apps (LOB publisher)
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index 51db604bd5..a188d6d0a1 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -9,6 +9,7 @@
### [Integration with management solutions](integration-with-management-solutions-.md)
## [Guidance for education environments](windows-10-guidance-for-education-environments.md)
### [Chromebook migration guide](chromebook-migration-guide.md)
+### [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Windows To Go: feature overview](windows-to-go-overview.md)
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md
index 8ab55ac121..4ef9e9177e 100644
--- a/windows/plan/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md
@@ -6,7 +6,7 @@ keywords: ["best practices, USB, device, boot"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Best practice recommendations for Windows To Go
diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
index 82a16df6da..7d8965c6d6 100644
--- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md
@@ -13,13 +13,19 @@ author: TrudyHa
This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## May 2016
+
+
+| New or changed topic | Description |
+|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | New|
+
## December 2015
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
-
## November 2015
diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md
index 87c111f100..e56979fdef 100644
--- a/windows/plan/chromebook-migration-guide.md
+++ b/windows/plan/chromebook-migration-guide.md
@@ -6,7 +6,7 @@ keywords: ["migrate", "automate", "device"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: TrudyHa
+author: craigash
---
# Chromebook migration guide
diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md
new file mode 100644
index 0000000000..2c9039447a
--- /dev/null
+++ b/windows/plan/deploy-windows-10-in-a-school.md
@@ -0,0 +1,1264 @@
+---
+title: Deploy Windows 10 in a school (Windows 10)
+description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
+keywords: configure, tools, device, school
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pgtyp: edu
+ms.sitesec: library
+author: craigash
+---
+
+# Deploy Windows 10 in a school
+
+
+**Applies to**
+
+- Windows 10
+
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
+
+## Prepare for school deployment
+
+Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
+
+### Plan a typical school configuration
+
+As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
+
+
+
+*Figure 1. Typical school configuration for this guide*
+
+Figure 2 shows the classroom configuration this guide uses.
+
+
+
+*Figure 2. Typical classroom configuration in a school*
+
+This school configuration has the following characteristics:
+- It contains one or more admin devices.
+- It contains two or more classrooms.
+- Each classroom contains one teacher device.
+- The classrooms connect to each other through multiple subnets.
+- All devices in each classroom connect to a single subnet.
+- All devices have high-speed, persistent connections to each other and to the Internet.
+- All teachers and students have access to Windows Store or Windows Store for Business.
+- All devices receive software updates from Intune (or another device management system).
+- You install a 64-bit version of Windows 10 on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
+
+ **Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+- The devices use Azure AD in Office 365 Education for identity management.
+- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).
+- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices.
+- Each device supports a one-student-per-device or multiple-students-per-device scenario.
+- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
+- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
+- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education.
+
+Office 365 Education allows:
+
+- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty.
+- Teachers to employ Sway to create interactive educational digital storytelling.
+- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+- Faculty to use advanced email features like email archiving and legal hold capabilities.
+- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management.
+- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype.
+- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+- Students and faculty to use Office 365 Video to manage videos.
+- Students and faculty to use Yammer to collaborate through private social networking.
+- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
+
+For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic).
+
+## How to configure a school
+
+Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+
+The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+
+You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments.
+
+MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices.
+
+LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+
+The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
+
+The configuration process requires the following devices:
+
+- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device.
+- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+
+The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3:
+
+1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
+2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school.
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+4. On the admin device, create and configure a Windows Store for Business portal.
+5. On the admin device, prepare for management of the Windows 10 devices after deployment.
+6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
+7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
+
+
+
+*Figure 3. How school configuration works*
+
+Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide.
+
+### Summary
+
+In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school.
+
+## Prepare the admin device
+
+Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share.
+
+### Install the Windows ADK
+
+The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management.
+
+When you install the Windows ADK on the admin device, select the following features:
+
+- Deployment tools
+- Windows Preinstallation Environment (Windows PE)
+- User State Migration Tool (USMT)
+
+For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK).
+
+### Install MDT
+
+Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft.
+
+You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
+
+**Note** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
+
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+
+Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
+
+### Create a deployment share
+
+MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media).
+
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
+
+### Summary
+
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process.
+
+## Create and configure Office 365
+
+Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
+
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+
+### Select the appropriate Office 365 Education license plan
+
+Complete the following steps to select the appropriate Office 365 Education license plan for your school:
+
+
+- Determine the number of faculty members and students who will use the classroom.
Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan.
+
+- Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
+
+*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans*
+
+
+
+
+
+
+
+
+
+
+
+| Standard | - Less expensive than Office 365 ProPlus
- Can be run from any device
- No installation necessary
| - Must have an Internet connection to use it
- Does not support all the features found in Office 365 ProPlus
|
+| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
- Supports full set of Office features
| - Requires installation
- Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
|
+
+
+
+
+The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
+
+- Determine whether students or faculty need Azure Rights Management.
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
+- Record the Office 365 Education license plans needed for the classroom in Table 2.
+
+*Table 2. Office 365 Education license plans needed for the classroom*
+
+
+
+
+
+
+
+
+
+
+ | Office 365 Education for students |
+ | Office 365 Education for faculty |
+ | Azure Rights Management for students |
+ | Azure Rights Management for faculty |
+
+
+
+You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+
+### Create a new Office 365 Education subscription
+
+To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
+
+**Note** If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
+
+#### To create a new Office 365 subscription
+
+1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
+
+ **Note** If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
+ - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
+ - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
+
+2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
+3. Click the hyperlink in the email in your school email account.
+4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription.
+
+### Add domains and subdomains
+
+Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+
+#### To add additional domains and subdomains
+
+1. In the Office 365 admin center, in the list view, click **DOMAINS**.
+2. In the details pane, above the list of domains, on the menu bar, click **Add domain**.
+3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**.
+4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**.
+5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider.
+6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution.
+
+### Configure automatic tenant join
+
+To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
+
+**Note** By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
+
+Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
+
+- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
+- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+
+You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
+
+**Note** You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+
+All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join*
+
+
+| Action | Windows PowerShell command |
+|------- |----------------------------|
+| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`|
+| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|
+
+**Note** If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+
+### Disable automatic licensing
+
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+
+**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+
+*Table 4. Windows PowerShell commands to enable or disable automatic licensing*
+
+| Action | Windows PowerShell command|
+| -------| --------------------------|
+| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`|
+|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`|
+
+### Enable Azure AD Premium
+
+When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
+
+Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+
+The Azure AD Premium features that are not in Azure AD Basic include:
+
+- Allow designated users to manage group membership
+- Dynamic group membership based on user metadata
+- Multifactor authentication (MFA)
+- Identify cloud apps that your users run
+- Automatic enrollment in a mobile device management (MDM) system (such as Intune)
+- Self-service recovery of BitLocker
+- Add local administrator accounts to Windows 10 devices
+- Azure AD Connect health monitoring
+- Extended reporting capabilities
+
+You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
+
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+
+For more information about:
+
+- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3).
+
+### Summary
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+
+## Select an Office 365 user account–creation method
+
+
+Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
+
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
+
+### Method 1: Automatic synchronization between AD DS and Azure AD
+
+In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+
+**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+
+
+
+*Figure 4. Automatic synchronization between AD DS and Azure AD*
+
+For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide.
+
+### Method 2: Bulk import into Azure AD from a .csv file
+
+In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+
+
+
+*Figure 5. Bulk import into Azure AD from other sources*
+
+To implement this method, perform the following steps:
+
+1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires.
+2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section.
+
+### Summary
+
+In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts.
+
+## Integrate on-premises AD DS with Azure AD
+
+You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
+
+**Note** If your institution does not have an on-premises AD DS domain, you can skip this section.
+
+### Select synchronization model
+
+Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect.
+
+You can deploy the Azure AD Connect tool by using one of the following methods:
+
+- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+
+ 
+
+ *Figure 6. Azure AD Connect on premises*
+
+- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+
+ 
+
+ *Figure 7. Azure AD Connect in Azure*
+
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx).
+
+### Deploy Azure AD Connect on premises
+
+In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution.
+
+#### To deploy AD DS and Azure AD synchronization
+
+1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/).
+2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+
+Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+
+### Verify synchronization
+
+Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console.
+
+#### To verify AD DS and Azure AD synchronization
+
+1. Open https://portal.office.com in your web browser.
+2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365.
+3. In the list view, expand **USERS**, and then click **Active Users**.
+4. In the details pane, view the list of users. The list of users should mirror the users in AD DS.
+5. In the list view, click **GROUPS**.
+6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS.
+7. In the details pane, double-click one of the security groups.
+8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
+9. Close the browser.
+
+Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+
+### Summary
+
+In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly.
+
+## Bulk-import user and group accounts into AD DS
+
+You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
+
+**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+
+### Select the bulk import method
+
+Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS.
+
+*Table 5. AD DS bulk-import account methods*
+
+|Method | Description and reason to select this method |
+|-------| ---------------------------------------------|
+|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).|
+|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Create a source file that contains the user and group accounts
+
+After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
+
+*Table 6. Source file format for each bulk import method*
+
+| Method | Source file format |
+|--------| -------------------|
+|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).|
+| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+### Import the user accounts into AD DS
+
+With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
+
+**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
+
+For more information about how to import user accounts into AD DS by using:
+
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).
+- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+
+### Summary
+
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+
+## Bulk-import user accounts into Office 365
+
+You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires.
+
+### Create user accounts in Office 365
+
+Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+
+You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+
+The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
+
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+
+**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+
+The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
+
+### Create Office 365 security groups
+
+Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
+
+**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+
+For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+You can add and remove users from security groups at any time.
+
+**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
+
+### Create email distribution groups
+
+Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student.
+
+You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
+
+**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
+
+For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
+
+### Summary
+
+Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+
+## Assign user licenses for Azure AD Premium
+
+Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost.
+
+You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users.
+
+For more information about:
+
+- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
+- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
+
+## Create and configure a Windows Store for Business portal
+
+Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following:
+
+- Find and acquire Windows Store apps.
+- Manage apps, app licenses, and updates.
+- Distribute apps to your users.
+
+For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+
+The following section shows you how to create a Windows Store for Business portal and configure it for your school.
+
+### Create and configure your Windows Store for Business portal
+
+To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+
+#### To create and configure a Windows Store for Business portal
+
+1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
+2. On the **Windows Store for Business** page, click **Sign in with an organizational account**. **Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
+5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+
+After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
+
+*Table 7. Menu selections to configure Windows Store for Business settings*
+
+| Menu selection | What you can do in this menu |
+|---------------| -------------------|
+|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
+|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
+|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
+|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+
+### Find, acquire, and distribute apps in the portal
+
+Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
+
+**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+
+You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
+
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+
+### Summary
+
+At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+
+## Plan for deployment
+
+You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+
+### Select the operating systems
+
+Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+
+- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10.
+- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+
+Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
+
+- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home.
+- **Windows 10 Pro**. Use this operating system to:
+ - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
+ - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
+- **Windows 10 Education**. Use this operating system to:
+ - Upgrade institution-owned devices to Windows 10 Education.
+ - Deploy new instances of Windows 10 Education so that new devices have a known configuration.
+
+**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
+
+One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+
+**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+
+### Select an image approach
+
+A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed.
+
+The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment.
+
+The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image.
+
+### Select a method to initiate deployment
+
+The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution.
+
+*Table 8. Methods to initiate MDT deployment*
+
+
+
+
+
+
+
+
+
+
+
+
+| Windows Deployment Services |
+This method:
+
+- Uses diskless booting to initiate MDT deployment.
+- Works only with devices that support PXE boot.
+- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+- Deploys images more slowly than when using local media.
+- Requires that you deploy a Windows Deployment Services server.
+
+
+Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. |
+
+
+
+| Bootable media |
+This method:
+
+- Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
+- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
+- Deploys images more slowly than when using local media.
+- Requires no additional infrastructure.
+
+
+Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. |
+
+
+
+| MDT deployment media |
+This method:
+
+- Initiates MDT deployment by booting from a local USB hard disk.
+- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
+- Deploys images more quickly than network-based methods do.
+- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
+
+
+Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk. |
+
+
+
+
+### Summary
+
+At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment.
+
+## Prepare for deployment
+
+To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment.
+
+### Configure the MDT deployment share
+
+The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9.
+
+*Table 9. Tasks to configure the MDT deployment share*
+
+
+
+
+
+
+
+
+
+
+
+| 1. Import operating systems |
+Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). |
+
+
+
+| 2. Import device drives |
+Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
+
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+
+ |
+
+
+
+| 3. Create MDT applications for Windows Store apps |
+Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
+
+Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.
+
+If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.
+
+In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:
+
+- Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
+- Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+
+
+ |
+
+
+
+| 4. Create MDT applications for Windows desktop apps
+ |
+You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
+
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).
+
+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
+
+**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+
+ |
+
+
+
+| 5. Create task sequences.
+ |
+You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will:
+
+- Deploy Windows 10 Education 64-bit to devices.
+- Deploy Windows 10 Education 32-bit to devices.
+- Upgrade existing devices to Windows 10 Education 64-bit.
+- Upgrade existing devices to Windows 10 Education 32-bit.
+
+
+Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+
+ |
+
+
+
+| 6. Update the deployment share.
+ |
+Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). |
+
+
+
+
+### Configure Window Deployment Services for MDT
+
+You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.
+
+#### To configure Windows Deployment Services for MDT
+
+1. Set up and configure Windows Deployment Services. Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
+
+ - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
+ - The Windows Deployment Services Help file, included in Windows Deployment Services
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx)
+
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services. The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+
+### Summary
+
+Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution.
+
+## Prepare for device management
+
+Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+
+### Select the management method
+
+If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases.
+
+For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution.
+
+*Table 10. School management methods*
+
+
+
+
+
+
+
+
+
+
+
+
+| Group Policy |
+
+Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
+
+- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
+- Want more granular control of device and user settings.
+- Have an existing AD DS infrastructure.
+- Typically manage on-premises devices.
+- Can manage a required setting only by using Group Policy.
+
+
+The advantages of this method include:
+
+- No cost beyond the AD DS infrastructure.
+- A larger number of settings (compared to Intune).
+
+The disadvantages of this method are:
+
+- Can only manage domain-joined (institution-owned devices).
+- Requires an AD DS infrastructure (if the institution does not have AD DS already).
+- Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
+
+ |
+
+
+
+| Intune |
+Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
+Select this method when you:
+
+- Want to manage institution-owned and personal devices (does not require that the device be domain joined).
+- Don’t require the level of granular control over device and user settings (compared to Group Policy).
+- Don’t have an existing AD DS infrastructure.
+- Need to manage devices regardless of where they are (on or off premises).
+- Can manage a required setting only by using Intune.
+
+
+The advantages of this method are:
+
+- You can manage institution-owned and personal devices.
+- It doesn’t require that devices be domain joined.
+- It doesn’t require any on-premises infrastructure.
+- It can manage devices regardless of their location (on or off premises).
+
+
+The disadvantages of this method are:
+
+- Carries an additional cost for subscription.
+- Doesn’t have a granular level control over device and user settings (compared to Group Policy).
+
+
+ |
+
+
+
+
+
+### Select Microsoft-recommended settings
+
+Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+
+*Table 11. Recommended settings for educational institutions*
+
+
+
+
+
+
+
+
+
+
+
+
+
+| Use of Microsoft accounts |
+You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
+**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.
+**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Restrict local administrator accounts on the devices |
+Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Restrict the local administrator accounts on the devices |
+Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
+**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Manage the built-in administrator account created during device deployment |
+When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
+**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).
+**Intune**. Not available.
+ |
+
+
+
+| Control Windows Store access |
+You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
+**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of Remote Desktop connections to devices |
+Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
+**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
+**Intune**. Not available.
+ |
+
+
+
+| Use of camera |
+A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of audio recording |
+Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
+**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).
+**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of screen capture |
+Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
+**Group Policy**. Not available.
+**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Use of location services |
+Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
+**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.
+**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+ |
+
+
+
+| Changing wallpaper |
+Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.
+**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.
+**Intune**. Not available.
+ |
+
+
+
+
+
+### Configure settings by using Group Policy
+
+Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx).
+
+#### To configure Group Policy settings
+
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx).
+
+### Configure settings by using Intune
+
+Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+
+For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+#### To configure Intune settings
+
+1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx).
+
+### Deploy apps by using Intune
+
+You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
+
+For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
+
+### Summary
+
+In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively.
+
+## Deploy Windows 10 to devices
+
+You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10.
+
+### Prepare for deployment
+
+Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure.
+
+*Table 12. Deployment preparation checklist*
+
+|Task | |
+| ---| --- |
+| |The target devices have sufficient system resources to run Windows 10. |
+| | Identify the necessary devices drivers, and import them to the MDT deployment share.|
+| | Create an MDT application for each Windows Store and Windows desktop app.|
+| | Notify the students and faculty about the deployment.|
+
+### Perform the deployment
+
+Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
+
+**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
+
+In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
+
+#### To deploy Windows 10
+
+1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+
+### Set up printers
+
+After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+**Note** If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+
+#### To set up printers
+
+1. Review the printer manufacturer’s instructions for installing the printer drivers.
+2. On the admin device, download the printer drivers.
+3. Copy the printer drivers to a USB drive.
+4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device.
+5. Insert the USB drive in the device.
+6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive.
+7. Verify that the printer drivers were installed correctly by printing a test page.
+8. Complete steps 1–8 for each printer.
+
+### Verify deployment
+
+As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following:
+
+- The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
+- Windows Update is active and current with software updates.
+- Windows Defender is active and current with malware signatures.
+- The SmartScreen Filter is active.
+- All Windows Store apps are properly installed and updated.
+- All Windows desktop apps are properly installed and updated.
+- Printers are properly configured.
+
+When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+
+### Summary
+
+You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use.
+
+## Maintain Windows devices and Office 365
+
+After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
+
+- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware.
+- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students.
+- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
+
+Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
+*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Verify that Windows Update is active and current with operating system and software updates.
+For more information about completing this task when you have:
+
+- Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
+- Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
+- Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
+- Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
+
+ |
+X |
+X |
+X |
+
+
+
+Verify that Windows Defender is active and current with malware signatures.
+For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). |
+X |
+X |
+X |
+
+
+
+Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
+For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus)
+ |
+X |
+X |
+X |
+
+
+
+Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
+For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing). |
+ |
+X |
+X |
+
+
+
+Refresh the operating system and apps on devices.
+For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.
+For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Install new or update existing Windows Store apps that are used in the curriculum.
+Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.
+You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
+ |
+ |
+X |
+X |
+
+
+
+Remove unnecessary user accounts (and corresponding licenses) from Office 365.
+For more information about how to:
+
+- Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
+- Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+
+ |
+ |
+X |
+X |
+
+
+
+Add new accounts (and corresponding licenses) to Office 365.
+For more information about how to:
+
+- Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
+- Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
+
+ |
+ |
+X |
+X |
+
+
+
+Create or modify security groups and manage group membership in Office 365.
+For more information about how to:
+
+- Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
+- Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
+
+
+ |
+ |
+X |
+X |
+
+
+
+Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange).
+
+ |
+ |
+X |
+X |
+
+
+
+Install new student devices
+Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+
+ |
+ |
+ |
+X |
+
+
+
+
+
+### Summary
+
+Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
+
+##Related resources
+
+- [Try it out: Windows 10 deployment (for educational institutions)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
+- [Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
+- [Chromebook migration guide](http://go.microsoft.com/fwlink/p/?LinkId=623249)
+
+
diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md
index 473ff80e7e..8d512f6395 100644
--- a/windows/plan/deployment-considerations-for-windows-to-go.md
+++ b/windows/plan/deployment-considerations-for-windows-to-go.md
@@ -6,7 +6,7 @@ keywords: ["deploy, mobile, device, USB, boot, image, workspace, driver"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Deployment considerations for Windows To Go
diff --git a/windows/plan/images/deploy-win-10-school-figure1.png b/windows/plan/images/deploy-win-10-school-figure1.png
new file mode 100644
index 0000000000..66113dcce1
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure1.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure2.png b/windows/plan/images/deploy-win-10-school-figure2.png
new file mode 100644
index 0000000000..0227f8dbaa
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure2.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure3.png b/windows/plan/images/deploy-win-10-school-figure3.png
new file mode 100644
index 0000000000..1b39b5cc14
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure3.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure4.png b/windows/plan/images/deploy-win-10-school-figure4.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure4.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure5.png b/windows/plan/images/deploy-win-10-school-figure5.png
new file mode 100644
index 0000000000..550386f1ce
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure5.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure6.png b/windows/plan/images/deploy-win-10-school-figure6.png
new file mode 100644
index 0000000000..09552a448a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure6.png differ
diff --git a/windows/plan/images/deploy-win-10-school-figure7.png b/windows/plan/images/deploy-win-10-school-figure7.png
new file mode 100644
index 0000000000..8e7581007a
Binary files /dev/null and b/windows/plan/images/deploy-win-10-school-figure7.png differ
diff --git a/windows/plan/prepare-your-organization-for-windows-to-go.md b/windows/plan/prepare-your-organization-for-windows-to-go.md
index 8c14a856c0..f66acaff2b 100644
--- a/windows/plan/prepare-your-organization-for-windows-to-go.md
+++ b/windows/plan/prepare-your-organization-for-windows-to-go.md
@@ -6,7 +6,7 @@ keywords: ["mobile, device, USB, deploy"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Prepare your organization for Windows To Go
diff --git a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md
index 41a1cbce6f..7343863528 100644
--- a/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/plan/security-and-data-protection-considerations-for-windows-to-go.md
@@ -6,7 +6,7 @@ keywords: ["mobile, device, USB, secure, BitLocker"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Security and data protection considerations for Windows To Go
diff --git a/windows/plan/windows-10-compatibility.md b/windows/plan/windows-10-compatibility.md
index 1f9c40a938..7823fc3961 100644
--- a/windows/plan/windows-10-compatibility.md
+++ b/windows/plan/windows-10-compatibility.md
@@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "appcompat"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Windows 10 compatibility
diff --git a/windows/plan/windows-10-deployment-considerations.md b/windows/plan/windows-10-deployment-considerations.md
index 422ff1b3af..51d122fa2b 100644
--- a/windows/plan/windows-10-deployment-considerations.md
+++ b/windows/plan/windows-10-deployment-considerations.md
@@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "in-place"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Windows 10 deployment considerations
diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md
index 91d543470a..716217d420 100644
--- a/windows/plan/windows-10-guidance-for-education-environments.md
+++ b/windows/plan/windows-10-guidance-for-education-environments.md
@@ -5,7 +5,7 @@ ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: TrudyHa
+author: craigash
---
# Guidance for education environments
diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md
index 0718fc8270..bfa40b1eca 100644
--- a/windows/plan/windows-10-infrastructure-requirements.md
+++ b/windows/plan/windows-10-infrastructure-requirements.md
@@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "hardware"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Windows 10 infrastructure requirements
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
index 1ed3b55f95..0cf0cd63eb 100644
--- a/windows/plan/windows-10-servicing-options.md
+++ b/windows/plan/windows-10-servicing-options.md
@@ -6,7 +6,7 @@ keywords: ["deploy", "upgrade", "update", "servicing"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Windows 10 servicing options
diff --git a/windows/plan/windows-to-go-frequently-asked-questions.md b/windows/plan/windows-to-go-frequently-asked-questions.md
index 3f8e61bb9f..0eaa4178e6 100644
--- a/windows/plan/windows-to-go-frequently-asked-questions.md
+++ b/windows/plan/windows-to-go-frequently-asked-questions.md
@@ -6,7 +6,7 @@ keywords: ["FAQ, mobile, device, USB"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Windows To Go: frequently asked questions
diff --git a/windows/plan/windows-to-go-overview.md b/windows/plan/windows-to-go-overview.md
index a84b375c14..c473ab949b 100644
--- a/windows/plan/windows-to-go-overview.md
+++ b/windows/plan/windows-to-go-overview.md
@@ -6,7 +6,7 @@ keywords: ["workspace, mobile, installation, image, USB, device, image"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: TrudyHa
+author: mtniehaus
---
# Windows To Go: feature overview
diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md
index 42b4c473fa..1133a6ea3b 100644
--- a/windows/whats-new/user-account-control.md
+++ b/windows/whats-new/user-account-control.md
@@ -19,7 +19,7 @@ User Account Control (UAC) helps prevent malware from damaging a computer and he
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
-For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](https://technet.microsoft.com/library/dd835564.aspx#BKMK_AdminApprovalMode).
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md).
In Windows 10, User Account Control has added some improvements.
diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md
index 9bf1212d06..f2eea69ec7 100644
--- a/windows/whats-new/windows-store-for-business-overview.md
+++ b/windows/whats-new/windows-store-for-business-overview.md
@@ -85,7 +85,7 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up
### Set up
-After your admin signs up for the Store for Business, they can assign roles to other employees in your company. These are the roles and their permissions.
+After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
@@ -137,7 +137,7 @@ Also, if your organization plans to use a management tool, you’ll need to conf
### Get apps and content
-Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. For now, apps in the Store for Business are free. Over time, when paid apps are available, you’ll have more options for paying for apps.
+Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
**App types** -- These app types are supported in the Store for Business:
@@ -212,96 +212,54 @@ For more information, see [Manage settings in the Store for Business](../manage/
Store for Business is currently available in these markets.
-- Argentina
-
-- Australia
-
-- Austria
-
-- Belgium (Dutch, French)
-
-- Brazil
-
-- Canada (English, French)
-
-- Chile
-
-- Columbia
-
-- Croatia
-
-- Czech Republic
-
-- Denmark
-
-- Finland
-
-- France
-
-- Germany
-
-- Greece
-
-- Hong Kong SAR
-
-- Hungary
-
-- India
-
-- Indonesia
-
-- Ireland
-
-- Italy
-
-- Japan
-
-- Malaysia
-
-- Mexico
-
-- Netherlands
-
-- New Zealand
-
-- Norway
-
-- Philippines
-
-- Poland
-
-- Portugal
-
-- Romania
-
-- Russia
-
-- Singapore
-
-- Slovakia
-
-- South Africa
-
-- Spain
-
-- Sweden
-
-- Switzerland (French, German)
-
-- Taiwan
-
-- Thailand
-
-- Turkey
-
-- Ukraine
-
-- United Kingdom
-
-- United States
-
-- Vietnam
-
+|Country or locale|Paid apps|Free apps|
+|-----------------|---------|---------|
+|Argentina|X|X|
+|Australia|X|X|
+|Austria|X|X|
+|Belgium (Dutch, French)|X|X|
+|Brazil| |X|
+|Canada (English, French)|X|X|
+|Chile|X|X|
+|Columbia|X|X|
+|Croatia|X|X|
+|Czech Republic|X|X|
+|Denmark|X|X|
+|Finland|X|X|
+|France|X|X|
+|Germany|X|X|
+|Greece|X|X|
+|Hong Kong SAR|X|X|
+|Hungary|X|X|
+|India| |X|
+|Indonesia|X|X|
+|Ireland|X|X|
+|Italy|X|X|
+|Japan|X|X|
+|Malaysia|X|X|
+|Mexico|X|X|
+|Netherlands|X|X|
+|New Zealand|X|X|
+|Norway|X|X|
+|Philippines|X|X|
+|Poland|X|X|
+|Portugal|X|X|
+|Romania|X|X|
+|Russia| |X|
+|Singapore|X|X|
+|Slovakia|X|X|
+|South Africa|X|X|
+|Spain|X|X|
+|Sweden|X|X|
+|Switzerland (French, German)|X|X|
+|Taiwan| |X|
+|Thailand|X|X|
+|Turkey|X|X|
+|Ukraine| |X|
+|United Kingdom|X|X|
+|United States|X|X|
+|Vietnam|X|X|
+
## ISVs and the Store for Business
|